Your message dated Mon, 26 Mar 2012 18:33:04 +0000
with message-id <[email protected]>
and subject line Bug#660836: fixed in tremulous 1.1.0-7~squeeze1
has caused the Debian Bug report #660836,
regarding tremulous: CVE-2011-2764, CVE-2011-3012 DLL overwriting by malicious
bytecode
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
660836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660836
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2011-2764 and CVE-2011-3012 are related vulnerabilities in the
Quake 3 engine. By writing a malicious DLL (.so file on Unix platforms),
a program executing in the engine's bytecode virtual machine can trigger
the execution of code outside the virtual machine context. This is
particularly severe if auto-downloading (cl_allowDownload) is enabled, since
clients with cl_allowDownload enabled will automatically download bytecode
from servers to which they connect, and execute it in the virtual machine.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability (retroactively designated CVE-2011-3012) was partially fixed
in r1405 and r1499. That implementation was incomplete (CVE-2011-2764),
which was fixed in r2098 (Debian bug <http://bugs.debian.org/635734>).
Debian's ioquake3 package is not vulnerable.
--- End Message ---
--- Begin Message ---
Source: tremulous
Source-Version: 1.1.0-7~squeeze1
We believe that the bug you reported is fixed in the latest version of
tremulous, which is due to be installed in the Debian FTP archive:
tremulous-doc_1.1.0-7~squeeze1_all.deb
to contrib/t/tremulous/tremulous-doc_1.1.0-7~squeeze1_all.deb
tremulous-server_1.1.0-7~squeeze1_i386.deb
to contrib/t/tremulous/tremulous-server_1.1.0-7~squeeze1_i386.deb
tremulous_1.1.0-7~squeeze1.debian.tar.gz
to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.debian.tar.gz
tremulous_1.1.0-7~squeeze1.dsc
to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.dsc
tremulous_1.1.0-7~squeeze1_i386.deb
to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated tremulous package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 25 Mar 2012 13:53:09 +0100
Source: tremulous
Binary: tremulous tremulous-server tremulous-doc
Architecture: source i386 all
Version: 1.1.0-7~squeeze1
Distribution: stable
Urgency: medium
Maintainer: Debian Games Team <[email protected]>
Changed-By: Simon McVittie <[email protected]>
Description:
tremulous - Aliens vs Humans, team based FPS game with elements of an RTS
tremulous-doc - Tremulous documentation
tremulous-server - Tremulous server
Closes: 660827 660830 660831 660832 660834 660836
Changes:
tremulous (1.1.0-7~squeeze1) stable; urgency=low
.
* Stable update (#663104), incorporating security fixes from unstable
* Fix an incorrect bug number in revision -6
.
tremulous (1.1.0-7) unstable; urgency=medium
.
* Add a lintian override for embedded-library libjpeg (#589407) to avoid
auto-rejection. It is a valid bug, but is not a regression, and fixing
several long-standing security vulnerabilities seems more important
than getting rid of an embedded library that is not known to be
exploitable.
.
tremulous (1.1.0-6) unstable; urgency=medium
.
* Backport patches from ioquake3 to fix long-standing security bugs:
- CVE-2006-2082: arbitrary file download from server by a malicious client
(Closes: #660831)
- CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
COM_StripExtension, exploitable in clients of a malicious server
(Closes: #660827)
- CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
malicious server (Closes: #660830)
- CVE-2006-3324: arbitrary file overwriting in clients of a malicious
server (Closes: #660832)
- CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
code execution) in clients of a malicious server (Closes: #660834)
- CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
code execution) in clients of a malicious server if auto-downloading
is enabled (Closes: #660836)
* As a precaution, disable auto-downloading
* Backport ioquake3 r1141 to fix a potential buffer overflow in error
handling (not known to be exploitable, but it can't hurt)
* Add gcc attributes to all printf- and scanf-like functions, and
fix non-literal format strings (again, none are known to be exploitable)
Checksums-Sha1:
093c757c268baf294ca21bf5c3134f1b27c63ccd 1886 tremulous_1.1.0-7~squeeze1.dsc
824556728fc2c6d25e1236aa73cefd20cf798c80 39677
tremulous_1.1.0-7~squeeze1.debian.tar.gz
b660cef21e1d446fa3319883c51d3d6b5ef51106 674826
tremulous_1.1.0-7~squeeze1_i386.deb
06a0f1fd077587c19793cb35fabf887376087e26 351748
tremulous-server_1.1.0-7~squeeze1_i386.deb
b7e0b2fe05cb5c3cbd327d69e8f9397ba51440c4 645994
tremulous-doc_1.1.0-7~squeeze1_all.deb
Checksums-Sha256:
1ee9da033efeb695a4466f6d21750176ac0114ef0f58731d93fe830104e477ed 1886
tremulous_1.1.0-7~squeeze1.dsc
d6b0e3e4fe5362e82970d0bc7122485d9ceaf501eb1d842c212bc3811e61c61f 39677
tremulous_1.1.0-7~squeeze1.debian.tar.gz
c44056831bce32a472cac71c256642e3b2ea6d98731ef0b374b7f3491e9b93fd 674826
tremulous_1.1.0-7~squeeze1_i386.deb
29b9b41418ea60ff11c99758e42a157c7776165f435eae36f9d0d2b240466d8f 351748
tremulous-server_1.1.0-7~squeeze1_i386.deb
acb7a04f9648594d97c3a05eb0d71d847425d13b5b9e239e41977fa62313b419 645994
tremulous-doc_1.1.0-7~squeeze1_all.deb
Files:
1aa63c3fa97393579591711e3c9768c9 1886 contrib/games optional
tremulous_1.1.0-7~squeeze1.dsc
119bddb6b3b70513798a8c991d22668e 39677 contrib/games optional
tremulous_1.1.0-7~squeeze1.debian.tar.gz
b6fa83d46a72a0375642ef689f24239b 674826 contrib/games optional
tremulous_1.1.0-7~squeeze1_i386.deb
6909f73b47b0336243e22b5767e95a48 351748 contrib/games optional
tremulous-server_1.1.0-7~squeeze1_i386.deb
112bab3c2a43ee9218e1a66d65539b12 645994 contrib/doc optional
tremulous-doc_1.1.0-7~squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBT29a8k3o/ypjx8yQAQj2ZA/+Mxdi5FUwSyH3uZZM8pwpk2rZdNjmb2tg
ZNhCjH35iscLxb5vWmBXiO/GXI1THcQQCfbh7Ciwznf7azD+vItwxMgz8X8GAcco
M39v4H+uewFkNs+yFFqBJgVGZ5F85ZyNSiCXyZa0kvA9tvXt8Mmte/D39MEiG+JD
JyyDJ6zFcfNNIc9x48pR0Mp/GWt70dxFzv5v4fwRebYcIjczGsUMIk74O+spEx0v
fAcboohekqgJuNToKYjiReFbSKbhzNi1oEC6cXRlxybZLSqdGKUzluttyRsosYqM
KgkbdiWGYMkbd7NObjGuD7HnYA1e8APTAT3lMO4FO1ETjtm3AFbkq7KEkx73cSUs
xCzon+nNy1+M2SM0di59ACTkV/Y9vWD7KJc1kv94Nj9MBzpAS4qwBaK/qGb+vhNw
sXoDO/XEz80Z9T3KyX9r0bineg0LdoW0+JFSqmy+tWD03lybcrNusgJrC5yrQ1S+
GX/27mOUMbWluN/qU0Xk21wgGTKTjC4L9dB91rd5egAtiAlJ0NECWxXkQ5b5bgM2
rgvWD4GXZ0QXCyOWMmJF4vSNvOu691CLDBw9NJWQesqRQuZ8FsbtCBxuDzJHzAe5
kEGGmeIHg/gHJETpO2UyMrQZE9qXWwAwePRl7aKVskETddJT6naPqWj3DhsTAtRS
MUbCK2CKgVE=
=9D44
-----END PGP SIGNATURE-----
--- End Message ---
