Your message dated Thu, 28 Jul 2011 14:18:13 +0100
with message-id <20110728131813.gb12...@reptile.pseudorandom.co.uk>
and subject line Re: Bug#635731: Acknowledgement (ioquake3: CVE-2011-1412
remote shell injection on clients connecting to a malicious server)
has caused the Debian Bug report #635731,
regarding ioquake3: CVE-2011-1412 remote shell injection on clients connecting
to a malicious server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
635731: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635731
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ioquake3
Version: 1.36+svn1946-1
Severity: grave
Tags: patch security pending
Justification: user security hole
ioquake3 1.36+svn1946-4 fixes a serious vulnerability. openarena in Debian
stable is not vulnerable to this.
>From the advisory:
> This bug has been discovered by /dev/humancontroller. Parts of the
> description here are also by him.
>
> * details
>
> If an ioQuake3 client for UNIX-like systems connects to a malicious id Tech
> 3 (Point Release 1.32 compatible) server, the server can force execution of
> arbitrary shell commands on the client's system.
>
> * CVE
>
> CVE-2011-1412 has been assigned for this issue.
>
> * severity
>
> high
>
> * affected OS
>
> All UNIXoid systems, except MacOSX:
> - Linux
> - FreeBSD
> - NetBSD
> - [...]
>
> Not affected:
> - Windows
> - MacOSX
>
> * games affected
>
> - IoQuake3 after revision 1773 and before 2097
> - World of Padman 1.5.1
> - OpenArena packaged by some Linux distributors
>
> Other game engines based on the ioQuake3 codebase, that have merged ioQuake3
> revision 1773, but not 2097, are also vulnerable.
>
> * workaround
>
> No workaround.
>
> * proof of concept
>
> Launch an ioQuake3 game server. Set the fs_game cvar to "`echo
> TROLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLO
> > trollme.txt`". Connect to the server with a recent ioQuake3 client for
> UNIX-like systems. The client should (after failing to create a directory
> with an overly long name) execute a shell command to write a file.
>
> * patches
>
> Several distributors have already been contacted and have prepared patches
> for their distributions.
> A sourcecode patch can be got here:
>
> http://thilo.tjps.eu/download/patches/ioq3-svn-r2097.diff
--- End Message ---
--- Begin Message ---
Version: 1.36+svn1946-4
This was fixed in 1.36+svn1946-4, but I didn't have a bug number when I
prepared that upload before the embargo date.
--- End Message ---
