Your message dated Wed, 03 Aug 2011 19:55:23 +0000
with message-id <[email protected]>
and subject line Bug#635733: fixed in openarena 0.8.5-5+squeeze1
has caused the Debian Bug report #635733,
regarding openarena: CVE-2011-2764 arbitrary code execution by malicious
gamecode
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
635733: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635733
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openarena
Version: 0.7.7+dfsg1-1
Severity: grave
Tags: security patch
Justification: user security hole
ioquake3 1.36+svn1946-4 fixes a security vulnerability. In the stable and
oldstable distributions, the same code is present in the openarena package.
Mitigation: do not allow auto-downloading, and do not install untrusted mods.
>From the advisory:
> Malicious gamecode can Execute arbitrary code outside of
> Q3 Virtual Machine context
> ========================================
>
> This bug has been discovered by /dev/humancontroller.
>
> * details
>
> The Quake3 engine uses game-specific code that is provided in a platform
> independent bytecode format. This code has restricted access to
> functionality provided by the engine. It should not be allowed access to
> data outside the VM context.
> Over the course of gameplay, the quake3 engine may dynamically load DLL
> files in certain configurations. For instance, if vm_ui is set to "0" quake3
> tries to open a DLL file to load the game logic behind the user interface.
>
> Part of the functionality offered to VM logic is the possibility to write to
> files within the quake3 directory. By writing a malicious DLL file, a
> program residing in the VM could trigger the execution of code outside the VM
> context.
> To prevent this from happening, ioquake3 introduced a file extension check
> in r1499 which denied writing files with certain names. However, this check
> was broken and corrected in r2098 only.
>
> This security issue has been around for a long time even in the original
> quake3 engine and is not limited to ioquake3.
> It affects a wide range of commercial games as well. It is only exploitable
> if a user installs 3rd party addons from untrusted sources.
> Quake3 was never really designed to be secure against malicious 3rd party
> content, and probably isn't even in latest revisions of ioquake3. So
> downloading of untrusted content is still discouraged.
>
> * CVE
>
> CVE-2011-2764 has been assigned for this issue.
>
> * severity
>
> medium
>
> * affected OS
>
> All OS with dynamic linker
>
> * games affected
>
> All games using the quake3 engine
>
> * workaround
>
> Don't download and install untrusted addons. Set cl_allowdownload to 0
>
> * patches
>
> Several distributors have already been contacted and have prepared patches
> for their distributions.
> A sourcecode patch can be got here:
>
> http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff
--- End Message ---
--- Begin Message ---
Source: openarena
Source-Version: 0.8.5-5+squeeze1
We believe that the bug you reported is fixed in the latest version of
openarena, which is due to be installed in the Debian FTP archive:
openarena-server_0.8.5-5+squeeze1_amd64.deb
to main/o/openarena/openarena-server_0.8.5-5+squeeze1_amd64.deb
openarena_0.8.5-5+squeeze1.debian.tar.gz
to main/o/openarena/openarena_0.8.5-5+squeeze1.debian.tar.gz
openarena_0.8.5-5+squeeze1.dsc
to main/o/openarena/openarena_0.8.5-5+squeeze1.dsc
openarena_0.8.5-5+squeeze1_amd64.deb
to main/o/openarena/openarena_0.8.5-5+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated openarena package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 28 Jul 2011 14:22:31 +0100
Source: openarena
Binary: openarena openarena-server
Architecture: source amd64
Version: 0.8.5-5+squeeze1
Distribution: stable
Urgency: medium
Maintainer: Debian Games Team <[email protected]>
Changed-By: Simon McVittie <[email protected]>
Description:
openarena - fast-paced 3D first-person shooter
openarena-server - server and game logic for the game OpenArena
Closes: 635733
Changes:
openarena (0.8.5-5+squeeze1) stable; urgency=medium
.
* Apply upstream r2098 to fix arbitrary code execution by malicious QVM
bytecode, which could be auto-downloaded from a malicious server
if enabled. CVE-2011-2764 (Closes: #635733)
Checksums-Sha1:
6324e0908b10ca4cadd0180c046e6ddd97c2881f 2099 openarena_0.8.5-5+squeeze1.dsc
79bb24858637b5edbe8c7f51d2c19721be191c0f 244882
openarena_0.8.5-5+squeeze1.debian.tar.gz
cc33baf2ffe0638aaf92605b1ea7a824fe8ff5b0 928160
openarena_0.8.5-5+squeeze1_amd64.deb
a89c63ebb580b4bf60559b0593ddd36ebd59a0c0 2764960
openarena-server_0.8.5-5+squeeze1_amd64.deb
Checksums-Sha256:
65e774d64f6a4d35f1f39aed5f617eb95161dbb0991770c94b8681cd14db50b1 2099
openarena_0.8.5-5+squeeze1.dsc
90042a56561abe1b848ce35f1d72416c4efe05e421490f5e321ec4fbc919a66b 244882
openarena_0.8.5-5+squeeze1.debian.tar.gz
e0b482b8d175a72affd0ad9e446fcc761c3ed2c8b538a8507fc6d68a1c6daf18 928160
openarena_0.8.5-5+squeeze1_amd64.deb
2b2f509cdd6087c8dd08711878c38d16e00f8088852e8583d389f6be58dc1273 2764960
openarena-server_0.8.5-5+squeeze1_amd64.deb
Files:
e994b70ef9fcfb312699d8d5207e045b 2099 games optional
openarena_0.8.5-5+squeeze1.dsc
2ba30d14332f2b1c8a8b52ded26be2dc 244882 games optional
openarena_0.8.5-5+squeeze1.debian.tar.gz
a44dce91fea8d3966b65059ae6421c93 928160 games optional
openarena_0.8.5-5+squeeze1_amd64.deb
767bd70893e485708f538cd1a6b2405e 2764960 games optional
openarena-server_0.8.5-5+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBTjQT4k3o/ypjx8yQAQg5Xw//b0XH5Zlg20dMzZ6HvbJAPQcan7synixA
LjtUqL4eVujVxx40ru8hSOU3ZdvKAznN7UkAmgXTLuqSWwpTmtdo2QxRlbHo6pTf
LKr2re3kFOi+oFC62mjHLwjzd3STLNMcJtz6IkHo7Y/fHae94Lb/cJrTp2ajiQP4
bEGzzQyJzbyO5RLNtlgVQoFa9L5aNlntDO66kL+t6RE+xCKeZtCdfQjlct71clbt
lxCXzRMzParAYFD7CzrxAlLZ9NVWIIzBjtnkS2SnRZWjvkoLi3j+Unfcugk5EfgX
o4MBB1TK/rl/XQyWyxeKsqsJJgP6E1xjrstOpNaxVgGPwcDPWlLVzCN2ZrHeakf9
LjBf8/adOglTHJZBXBDFGXwdQQy6cXkcljxuIbUME88s0bVu8SoWlx8LUPj1/Gtb
S48XPHm27JCYIXRYumRF0wuskybWTu5cDsaIvEU/QEjldSdg54ED3MS8qFJNcIGB
y/Lf7Xtlzu0DcleoEWxYz95tl3J27tsAfVzs5SMnPqvsZk1xUD16lD+3Zntx4l1K
YVR/JVShznnq2zyWAxF3SFXOHh6uSKVGXuihfxMkbG7G4GQDQ5YjNuiB7oqQA638
DPH7dt20Yj0iH52Qf2fnQZ6XIASomn4yCRKw46ytqoJQAx/tos7rGuxZ6xa6CpaK
1fBaI9i84g0=
=NlUA
-----END PGP SIGNATURE-----
--- End Message ---
