Package: tremulous Version: 1.1.0-4.1 Severity: grave Tags: security Justification: user security hole
CVE-2011-2764 and CVE-2011-3012 are related vulnerabilities in the Quake 3 engine. By writing a malicious DLL (.so file on Unix platforms), a program executing in the engine's bytecode virtual machine can trigger the execution of code outside the virtual machine context. This is particularly severe if auto-downloading (cl_allowDownload) is enabled, since clients with cl_allowDownload enabled will automatically download bytecode from servers to which they connect, and execute it in the virtual machine. Tremulous is based on a fork of that engine, and version 1.1.0 as shipped in Debian has the same vulnerability. The de facto upstream for the Quake 3 engine is ioquake3, in which this vulnerability (retroactively designated CVE-2011-3012) was partially fixed in r1405 and r1499. That implementation was incomplete (CVE-2011-2764), which was fixed in r2098 (Debian bug <http://bugs.debian.org/635734>). Debian's ioquake3 package is not vulnerable. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
