Package: tremulous Version: 1.1.0-4.1 Severity: grave Tags: security Justification: user security hole
CVE-2006-3324 is a vulnerability in the Quake 3 engine. A malicious server can overwrite arbitrary files in the ~/.q3a directory on clients connecting to it; in combination with CVE-2006-3325, the same vulnerability could be used to overwrite arbitrary files anywhere on the filesystem. Tremulous is based on a fork of that engine, and version 1.1.0 as shipped in Debian has the same vulnerability (with ~/.tremulous instead of ~/.q3a). The de facto upstream for the Quake 3 engine is ioquake3, in which this vulnerability was fixed in r804. Debian's ioquake3 package is not vulnerable. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
