Your message dated Wed, 22 Feb 2012 10:31:07 +0000
with message-id <4f44c3eb.2090...@debian.org>
and subject line Re: Bug#660827: tremulous: CVE-2006-2236 ("the remapShader
exploit") can lead to arbitrary code execution
has caused the Debian Bug report #660830,
regarding tremulous: CVE-2006-2875 ("q3cbof") stack-based buffer overflow
leading to arbitrary code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
660830: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660830
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-2875 is a buffer overflow in the Quake 3 engine, originally
discovered by Luigi Auriemma. Due to missing bounds-checking in
CL_ParseDownload, a malicious server can cause clients connecting to it
to execute arbitrary code via a network packet with compressed data.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r796. Debian's ioquake3 package is not vulnerable.
--- End Message ---
--- Begin Message ---
Version: 1.1.0-7
tremulous (1.1.0-6) unstable; urgency=medium
* Backport patches from ioquake3 to fix long-standing security bugs:
- CVE-2006-2082: arbitrary file download from server by a malicious
client
(Closes: #660831)
- CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
COM_StripExtension, exploitable in clients of a malicious server
(Closes: #660827)
- CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
malicious server (Closes: #660830)
- CVE-2006-3324: arbitrary file overwriting in clients of a malicious
server (Closes: #660832)
- CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
code execution) in clients of a malicious server (Closes: #660834)
- CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
code execution) in clients of a malicious server if auto-downloading
is enabled (Closes: #660836)
* As a precaution, disable auto-downloading
* Backport ioquake3 r1141 to fix a potential buffer overflow in error
handling (not known to be exploitable, but it can't hurt)
* Add gcc attributes to all printf- and scanf-like functions, and
fix non-literal format strings (again, none are known to be exploitable)
-- Simon McVittie <s...@debian.org> Wed, 22 Feb 2012 09:07:37 +0000
--- End Message ---
