Your message dated Wed, 22 Feb 2012 10:31:07 +0000
with message-id <4f44c3eb.2090...@debian.org>
and subject line Re: Bug#660827: tremulous: CVE-2006-2236 ("the remapShader
exploit") can lead to arbitrary code execution
has caused the Debian Bug report #660831,
regarding tremulous-server: CVE-2006-2082 arbitrary file download from server
to be marked as done.This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 660831: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660831 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tremulous-server Version: 1.1.0-4.1 Severity: grave Tags: security Justification: user security hole CVE-2006-2082 is a directory traversal vulnerability in the Quake 3 engine. When the sv_allowDownload cvar is enabled, players can download .pk3 files required by the server; due to missing checks, remote attackers can use this feature to read arbitrary files from the server via ".." sequences in a download request. Tremulous is based on a fork of that engine, and version 1.1.0 as shipped in Debian has the same vulnerability. The files are read with the privileges of the server, typically the "tremulous-server" uid. This bug also affects "listen servers" (those where a player hosts the server and plays the game in the same process), started via the GUI of the tremulous package; in this case, files are read with the privileges of the user. The de facto upstream for the Quake 3 engine is ioquake3, in which this vulnerability was fixed in r777. Debian's ioquake3 package is not vulnerable.
--- End Message ---
--- Begin Message ---Version: 1.1.0-7 tremulous (1.1.0-6) unstable; urgency=medium * Backport patches from ioquake3 to fix long-standing security bugs: - CVE-2006-2082: arbitrary file download from server by a malicious client (Closes: #660831) - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on COM_StripExtension, exploitable in clients of a malicious server (Closes: #660827) - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a malicious server (Closes: #660830) - CVE-2006-3324: arbitrary file overwriting in clients of a malicious server (Closes: #660832) - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary code execution) in clients of a malicious server (Closes: #660834) - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary code execution) in clients of a malicious server if auto-downloading is enabled (Closes: #660836) * As a precaution, disable auto-downloading * Backport ioquake3 r1141 to fix a potential buffer overflow in error handling (not known to be exploitable, but it can't hurt) * Add gcc attributes to all printf- and scanf-like functions, and fix non-literal format strings (again, none are known to be exploitable) -- Simon McVittie <s...@debian.org> Wed, 22 Feb 2012 09:07:37 +0000
--- End Message ---
