Package: openarena Version: 0.7.7+dfsg1-1 Severity: grave Tags: security patch Justification: user security hole
ioquake3 1.36+svn1946-4 fixes a security vulnerability. In the stable and oldstable distributions, the same code is present in the openarena package. Mitigation: do not allow auto-downloading, and do not install untrusted mods. >From the advisory: > Malicious gamecode can Execute arbitrary code outside of > Q3 Virtual Machine context > ======================================== > > This bug has been discovered by /dev/humancontroller. > > * details > > The Quake3 engine uses game-specific code that is provided in a platform > independent bytecode format. This code has restricted access to > functionality provided by the engine. It should not be allowed access to > data outside the VM context. > Over the course of gameplay, the quake3 engine may dynamically load DLL > files in certain configurations. For instance, if vm_ui is set to "0" quake3 > tries to open a DLL file to load the game logic behind the user interface. > > Part of the functionality offered to VM logic is the possibility to write to > files within the quake3 directory. By writing a malicious DLL file, a > program residing in the VM could trigger the execution of code outside the VM > context. > To prevent this from happening, ioquake3 introduced a file extension check > in r1499 which denied writing files with certain names. However, this check > was broken and corrected in r2098 only. > > This security issue has been around for a long time even in the original > quake3 engine and is not limited to ioquake3. > It affects a wide range of commercial games as well. It is only exploitable > if a user installs 3rd party addons from untrusted sources. > Quake3 was never really designed to be secure against malicious 3rd party > content, and probably isn't even in latest revisions of ioquake3. So > downloading of untrusted content is still discouraged. > > * CVE > > CVE-2011-2764 has been assigned for this issue. > > * severity > > medium > > * affected OS > > All OS with dynamic linker > > * games affected > > All games using the quake3 engine > > * workaround > > Don't download and install untrusted addons. Set cl_allowdownload to 0 > > * patches > > Several distributors have already been contacted and have prepared patches > for their distributions. > A sourcecode patch can be got here: > > http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
