Bug#677592: marked as done (CVE-2012-3345: symlink attack in /tmp)

Fri, 15 Jun 2012 01:15:30 -0700 

Your message dated Fri, 15 Jun 2012 09:10:22 +0100
with message-id <4fdaedee.5080...@debian.org>
and subject line Re: Bug#677592: CVE-2012-3345: symlink attack in /tmp
has caused the Debian Bug report #677592,
regarding CVE-2012-3345: symlink attack in /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
677592: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677592
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ioquake3
Version: 1.36+svn1788j-1
Severity: grave
Tags: security
Justification: causes non-serious data loss

Access vector: local
Authentication required: local system
Impact: victim overwrites file of attacker's choice with a predictable
integer

Since svn revision 1773, ioquake3 has written its process ID to the file
/tmp/ioq3.pid (or ioq3.pid in a world-writeable location) under the
following circumstances:

* running on non-Mac Unix and TMPDIR not set, or set to a
  world-writeable location; or
* running on Mac OS and FSFindFolder() for a temporary directory fails
  or returns a world-writeable location

On a multi-user system, an attacker could create a symbolic link
/tmp/ioq3.pid pointing to any file owned by a user who plays an
ioquake3-based game. When the victim runs ioquake3, the target file will
be overwritten and replaced with the process ID of ioquake3.

The effect of this attack depends on the file being overwritten: it
could be simple vandalism (destroy one of the victim's files), or it
could have further security implications if knowledge of the contents of
a target file is used for authentication (in a system similar to
pam_dotfile [DOT], for instance).

For the dedicated server, the process ID is written to ioq3_server.pid,
but the attack is essentially the same. For forks of ioquake3, the
filename will typically include the name of the fork instead, e.g.
openarena.pid.

Affected versions
=================

* ioquake3 >= svn r1773, < r2253 [ANNOUNCE]
* OpenArena 0.8.8
* Reaction beta 1.0
* Smokin' Guns 1.1
* Tremulous "trunk" >= svn r2125
* Tremulous "gpp" >= svn r2140
* Turtle Arena >= svn r204 (all releases named Turtle Arena)
* World of Padman >= 1.5.2 beta

Unaffected versions
===================

* ioquake3 1.36
* ioquake3 <= svn r1772
* OpenArena <= 0.8.5
* Smokin' Guns <= 1.1b4
* Tremulous "trunk" <= svn r2124
* Tremulous "gpp" <= svn r2139
* Tremulous GPP1
* Tremulous <= 1.1.0
* Turtle Arena <= svn r203
* TMNT Arena 20091211 (former name of Turtle Arena)
* ioUrbanTerror 2007-12-20 client
* ioUrbanTerror 2007-12-20 server
* World of Padman <= 1.5.0

Solution
========

The patches at <http://ioquake3.org/files/CVE-2012-3345/> have been
reviewed by the ioquake3 maintainers and were committed to ioquake3 svn
(as a single patch) as r2253.

Patch 0001 fixes the vulnerability by writing the pid file into the
ioquake3 user's home directory (e.g. ~/.q3a/ioq3.pid for an unmodified
engine with default configuration) instead of the temporary directory.

Patch 0002 is recommended, but not strictly necessary to fix the
vulnerability. It removes the functions to get the temporary directory,
as a precaution against other unsafe uses.

On Debian testing/unstable systems, this is fixed in ioquake3 version
1.36+svn2224-4. Debian stable is not vulnerable.

References
==========

[ANNOUNCE]
http://ioquake3.org/2012/06/14/cve-2012-3345-symlink-attack-in-ioquake3-r1773/
[IOQ] http://ioquake3.org/
[OA] http://openarena.ws/
[REA] http://www.rq3.com/
[SGN] http://www.smokin-guns.net/
[TREM] http://tremulous.net/
[TA] http://ztm.x10hosting.com/ta/
[URT] http://www.urbanterror.info/home/
[WOP] http://worldofpadman.com/website/
[DOT] http://0pointer.de/lennart/projects/pam_dotfile/

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 
'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ioquake3 depends on:
ii  libc6                     2.13-33
ii  libcurl3-gnutls           7.26.0-1
ii  libgl1-mesa-glx [libgl1]  8.0.3-1
ii  libjpeg8                  8d-1
ii  libogg0                   1.3.0-4
ii  libopenal1                1:1.14-4
ii  libsdl1.2debian           1.2.15-4
ii  libspeex1                 1.2~rc1-6
ii  libspeexdsp1              1.2~rc1-6
ii  libvorbis0a               1.3.2-1.3
ii  libvorbisfile3            1.3.2-1.3
ii  zlib1g                    1:1.2.7.dfsg-11

Versions of packages ioquake3 recommends:
ii  x11-utils  7.7~1
ii  zenity     3.4.0-2

ioquake3 suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 1.36+svn2224-4

This was already fixed, in 1.36+svn2224-4. Because I prepared that
upload in advance of an embargo date, I didn't have a bug number to
close in the changelog.

--- End Message ---

Reply via email to