Your message dated Wed, 22 Feb 2012 10:31:07 +0000
with message-id <[email protected]>
and subject line Re: Bug#660827: tremulous: CVE-2006-2236 ("the remapShader
exploit") can lead to arbitrary code execution
has caused the Debian Bug report #660836,
regarding tremulous: CVE-2011-2764, CVE-2011-3012 DLL overwriting by malicious
bytecode
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
660836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660836
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2011-2764 and CVE-2011-3012 are related vulnerabilities in the
Quake 3 engine. By writing a malicious DLL (.so file on Unix platforms),
a program executing in the engine's bytecode virtual machine can trigger
the execution of code outside the virtual machine context. This is
particularly severe if auto-downloading (cl_allowDownload) is enabled, since
clients with cl_allowDownload enabled will automatically download bytecode
from servers to which they connect, and execute it in the virtual machine.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability (retroactively designated CVE-2011-3012) was partially fixed
in r1405 and r1499. That implementation was incomplete (CVE-2011-2764),
which was fixed in r2098 (Debian bug <http://bugs.debian.org/635734>).
Debian's ioquake3 package is not vulnerable.
--- End Message ---
--- Begin Message ---
Version: 1.1.0-7
tremulous (1.1.0-6) unstable; urgency=medium
* Backport patches from ioquake3 to fix long-standing security bugs:
- CVE-2006-2082: arbitrary file download from server by a malicious
client
(Closes: #660831)
- CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
COM_StripExtension, exploitable in clients of a malicious server
(Closes: #660827)
- CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
malicious server (Closes: #660830)
- CVE-2006-3324: arbitrary file overwriting in clients of a malicious
server (Closes: #660832)
- CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
code execution) in clients of a malicious server (Closes: #660834)
- CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
code execution) in clients of a malicious server if auto-downloading
is enabled (Closes: #660836)
* As a precaution, disable auto-downloading
* Backport ioquake3 r1141 to fix a potential buffer overflow in error
handling (not known to be exploitable, but it can't hurt)
* Add gcc attributes to all printf- and scanf-like functions, and
fix non-literal format strings (again, none are known to be exploitable)
-- Simon McVittie <[email protected]> Wed, 22 Feb 2012 09:07:37 +0000
--- End Message ---