Your message dated Wed, 22 Feb 2012 10:31:07 +0000
with message-id <4f44c3eb.2090...@debian.org>
and subject line Re: Bug#660827: tremulous: CVE-2006-2236 ("the remapShader
exploit") can lead to arbitrary code execution
has caused the Debian Bug report #660834,
regarding tremulous: CVE-2006-3325 ("q3cfilevar-B") configuration overwriting
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
660834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-3325 is a vulnerability in the Quake 3 engine. Due to missing checks,
a malicious server can overwrite configuration variables ("cvars") on clients
connecting to it, even those that are normally write-protected. Some cvars,
such as fs_homepath and cl_allowdownload, are security-sensitive; in
particular, this vulnerability can be combined with CVE-2006-3324 to overwrite
arbitrary files with the user's privileges.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r811. Debian's ioquake3 package is not vulnerable.
--- End Message ---
--- Begin Message ---
Version: 1.1.0-7
tremulous (1.1.0-6) unstable; urgency=medium
* Backport patches from ioquake3 to fix long-standing security bugs:
- CVE-2006-2082: arbitrary file download from server by a malicious
client
(Closes: #660831)
- CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
COM_StripExtension, exploitable in clients of a malicious server
(Closes: #660827)
- CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
malicious server (Closes: #660830)
- CVE-2006-3324: arbitrary file overwriting in clients of a malicious
server (Closes: #660832)
- CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
code execution) in clients of a malicious server (Closes: #660834)
- CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
code execution) in clients of a malicious server if auto-downloading
is enabled (Closes: #660836)
* As a precaution, disable auto-downloading
* Backport ioquake3 r1141 to fix a potential buffer overflow in error
handling (not known to be exploitable, but it can't hurt)
* Add gcc attributes to all printf- and scanf-like functions, and
fix non-literal format strings (again, none are known to be exploitable)
-- Simon McVittie <s...@debian.org> Wed, 22 Feb 2012 09:07:37 +0000
--- End Message ---
