Your message dated Thu, 28 Jul 2011 14:21:30 +0100
with message-id <20110728132130.gc12...@reptile.pseudorandom.co.uk>
and subject line Re: Bug#635733: openarena: CVE-2011-2764 arbitrary code
execution by malicious gamecode
has caused the Debian Bug report #635733,
regarding openarena: CVE-2011-2764 arbitrary code execution by malicious
gamecode
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
635733: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635733
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openarena
Version: 0.7.7+dfsg1-1
Severity: grave
Tags: security patch
Justification: user security hole
ioquake3 1.36+svn1946-4 fixes a security vulnerability. In the stable and
oldstable distributions, the same code is present in the openarena package.
Mitigation: do not allow auto-downloading, and do not install untrusted mods.
>From the advisory:
> Malicious gamecode can Execute arbitrary code outside of
> Q3 Virtual Machine context
> ========================================
>
> This bug has been discovered by /dev/humancontroller.
>
> * details
>
> The Quake3 engine uses game-specific code that is provided in a platform
> independent bytecode format. This code has restricted access to
> functionality provided by the engine. It should not be allowed access to
> data outside the VM context.
> Over the course of gameplay, the quake3 engine may dynamically load DLL
> files in certain configurations. For instance, if vm_ui is set to "0" quake3
> tries to open a DLL file to load the game logic behind the user interface.
>
> Part of the functionality offered to VM logic is the possibility to write to
> files within the quake3 directory. By writing a malicious DLL file, a
> program residing in the VM could trigger the execution of code outside the VM
> context.
> To prevent this from happening, ioquake3 introduced a file extension check
> in r1499 which denied writing files with certain names. However, this check
> was broken and corrected in r2098 only.
>
> This security issue has been around for a long time even in the original
> quake3 engine and is not limited to ioquake3.
> It affects a wide range of commercial games as well. It is only exploitable
> if a user installs 3rd party addons from untrusted sources.
> Quake3 was never really designed to be secure against malicious 3rd party
> content, and probably isn't even in latest revisions of ioquake3. So
> downloading of untrusted content is still discouraged.
>
> * CVE
>
> CVE-2011-2764 has been assigned for this issue.
>
> * severity
>
> medium
>
> * affected OS
>
> All OS with dynamic linker
>
> * games affected
>
> All games using the quake3 engine
>
> * workaround
>
> Don't download and install untrusted addons. Set cl_allowdownload to 0
>
> * patches
>
> Several distributors have already been contacted and have prepared patches
> for their distributions.
> A sourcecode patch can be got here:
>
> http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff
--- End Message ---
--- Begin Message ---
Version: 0.8.5-6
This bug does not directly affect OA since 0.8.5-6, which use a different
copy of the ioquake3 engine (in the ioquake3 package). ioquake3 itself
has the same bug, but that's tracked separately.
(OA still needs a stable update, though.)
--- End Message ---
