Bug#857699: marked as done (ioquake3: CVE-2017-6903: privilege escalation by auto-downloaded files)

Fri, 24 Mar 2017 05:36:51 -0700 

Your message dated Fri, 24 Mar 2017 12:32:29 +0000
with message-id <e1crool-0003fg...@fasolo.debian.org>
and subject line Bug#857699: fixed in ioquake3 1.36+u20140802+gca9eebb-2+deb8u1
has caused the Debian Bug report #857699,
regarding ioquake3: CVE-2017-6903: privilege escalation by auto-downloaded files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857699: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ioquake3
Version: 1.36
Severity: grave

Hi,
earlier today ioquake3 fixed a vulnerability that, as far as I understand, could let malicious multiplayer servers execute code on connecting clients. It affects all prior versions of ioquake3 (and I think also original Quake 3). Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ 

So you should probably update to latest ioq3 git or backport the fix.

Cheers,
Daniel

--- End Message ---
--- Begin Message --- 
Source: ioquake3
Source-Version: 1.36+u20140802+gca9eebb-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
ioquake3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated ioquake3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Mar 2017 22:29:41 +0000
Source: ioquake3
Binary: ioquake3 ioquake3-server ioquake3-dbg
Architecture: source amd64
Version: 1.36+u20140802+gca9eebb-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
 ioquake3   - Game engine for 3D first person shooter games
 ioquake3-dbg - debug symbols for the ioquake3 game engine
 ioquake3-server - Standalone server for ioQuake3 based games
Closes: 857699
Changes:
 ioquake3 (1.36+u20140802+gca9eebb-2+deb8u1) jessie-security; urgency=high
 .
   * d/gbp.conf: switch branch to debian/jessie
   * d/patches: Add patches from upstream fixing security vulnerabilities
      - refuse to load potentially auto-downloadable .pk3 files as
        ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers
        (mitigation: auto-downloading is off by default, and in Debian
        we do not dlopen libcurl anyway)
      - refuse to load default configuration file names from a .pk3 file
      - protect cl_renderer, cl_curllib, s_aldriver configuration variables so
        game code cannot set them
      - refuse to overwrite files other than *.txt with the dump console
        command
      - refuse to overwrite files other than *.cfg with the writeconfig
        console command
      (Closes: #857699; CVE-2017-6903)
Checksums-Sha1:
 bdd735c15c0f0dfb6cea1a4fc050cd59d90c8418 2487 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.dsc
 4d6782c17e106c9a5f3c03872d6d8e75941e2008 1876668 
ioquake3_1.36+u20140802+gca9eebb.orig.tar.xz
 2cbc3cda14617aaa86bfd7dbfae8ee03927cf8c3 19520 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.debian.tar.xz
 e4de5d55625b0c5dfbd4a61a49bf2ed8dc35450f 1465252 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
 0664c2d59fcb025f98fb0723142d19f62e76533f 855718 
ioquake3-server_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
 f8b1ed5dd6b5a0beea5244de2f87e5662cf9cd79 5094952 
ioquake3-dbg_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
Checksums-Sha256:
 308ca0fe3aa91e2c129db0d8f89e7830e7c9d1a3e77c25d8457240fef6eb0a90 2487 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.dsc
 436e83a5754a4a7106d787aba58454f9cc0d99d6476e20e4bd448aa6a025987b 1876668 
ioquake3_1.36+u20140802+gca9eebb.orig.tar.xz
 879e2e6951e1e221d9da2c1208ff332d3aa866a0dd707492f21d6d4b5cf1ce71 19520 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.debian.tar.xz
 c40adcbf4882370b7b08e571d5f28968987252bd3859678d0ebe272ccf3852e9 1465252 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
 2ced31044609186b1f134303cf183e2781b86f761a5f0599fa577258c3340754 855718 
ioquake3-server_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
 bcf6cc1843b23a07c87a022e39f51ddbec497edd2411f8eae14e492fe5f5b2b9 5094952 
ioquake3-dbg_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
Files:
 4dd04d5f454ee0e2097d9baadbbdd946 2487 games optional 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.dsc
 c2c32361212294bc8a6f032f97e06832 1876668 games optional 
ioquake3_1.36+u20140802+gca9eebb.orig.tar.xz
 2f92dc6560e66b9ffbc2f63f4a050ce8 19520 games optional 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.debian.tar.xz
 4fb5f8dadafb1e2819a82bb33d97f3ba 1465252 games optional 
ioquake3_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
 07866243a3e599f500f70dd60e7faab3 855718 games optional 
ioquake3-server_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
 0ef15e7a82dce3d3255282c5ea1a31bb 5094952 debug extra 
ioquake3-dbg_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAljIdNAACgkQTej/KmPH
zJD57g//evpyzZJifwB3HE5nnUqro6efoL2+BxMu9rQ2XJrNHScmauLmh509lRlX
f78AHqYouHb1Bij10JgOJgrkpGoTaniB4JTvCyuMw8YuVpcGQMRoW/fn1f2oVXba
HH3Lf5ksHaS+s2V69rPYRqMlTJCZbIIWzUI9civvO/OxmX81wxCeodNeKa/Q321E
6erQ7i3RqQR1g4hTm/a9WPGUeOCXgSyNdkLcxR6QuFj50tHrZYTmpVAmV4BwQdP7
QpA1GYCxFzHpTC7WTBRo46SrwayRYP16tWD0+zWGR8cIimzal/QQhN6UMlXgXNOd
nWac8bvvT06raha271EJk3895yXBlKOkJSQ1kVIdvfGhAmWm4L+071VM5qk0YHM2
zhyFRGD8UYwHDmalvul8vVLPUR1hx9y/kcKVPbGGzZr202peUkjiITQBJe7Ctp8g
H11rLsFNkW6FZBKY7XlQhEpSRWmirC7Y1qS7RRlAFqFAvhWKeZ+w3NKejmle9JTF
RrADHcKurjVLGoT1Zo4SmmIt38EaJUHe0Ooj6T6uEfhEN6scob09Gj1RP6ZAxbt1
PjyP6fqohWBEXOGYAwKlnjVXB7mDik63W1372nb18RuBrFz1Jj3fXaYMnou89MNa
TNEhUuB870Mqh0kINIWq95n0Z56S5OhJeKoikSMoTxy1PyWAsh4=
=QpKT
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to