Package: tremulous-server Version: 1.1.0-4.1 Severity: grave Tags: security Justification: user security hole
CVE-2006-2082 is a directory traversal vulnerability in the Quake 3 engine. When the sv_allowDownload cvar is enabled, players can download .pk3 files required by the server; due to missing checks, remote attackers can use this feature to read arbitrary files from the server via ".." sequences in a download request. Tremulous is based on a fork of that engine, and version 1.1.0 as shipped in Debian has the same vulnerability. The files are read with the privileges of the server, typically the "tremulous-server" uid. This bug also affects "listen servers" (those where a player hosts the server and plays the game in the same process), started via the GUI of the tremulous package; in this case, files are read with the privileges of the user. The de facto upstream for the Quake 3 engine is ioquake3, in which this vulnerability was fixed in r777. Debian's ioquake3 package is not vulnerable. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
