Bug#660834: marked as done (tremulous: CVE-2006-3325 ("q3cfilevar-B") configuration overwriting)

[Debian Bug Tracking System]

Your message dated Mon, 26 Mar 2012 18:33:04 +0000
with message-id <e1scej2-00013w...@franck.debian.org>
and subject line Bug#660834: fixed in tremulous 1.1.0-7~squeeze1
has caused the Debian Bug report #660834,
regarding tremulous: CVE-2006-3325 ("q3cfilevar-B") configuration overwriting
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
660834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole

CVE-2006-3325 is a vulnerability in the Quake 3 engine. Due to missing checks,
a malicious server can overwrite configuration variables ("cvars") on clients
connecting to it, even those that are normally write-protected. Some cvars,
such as fs_homepath and cl_allowdownload, are security-sensitive; in
particular, this vulnerability can be combined with CVE-2006-3324 to overwrite
arbitrary files with the user's privileges.

Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.

The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r811. Debian's ioquake3 package is not vulnerable.

--- End Message ---

--- Begin Message ---

Source: tremulous
Source-Version: 1.1.0-7~squeeze1

We believe that the bug you reported is fixed in the latest version of
tremulous, which is due to be installed in the Debian FTP archive:

tremulous-doc_1.1.0-7~squeeze1_all.deb
  to contrib/t/tremulous/tremulous-doc_1.1.0-7~squeeze1_all.deb
tremulous-server_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous-server_1.1.0-7~squeeze1_i386.deb
tremulous_1.1.0-7~squeeze1.debian.tar.gz
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.debian.tar.gz
tremulous_1.1.0-7~squeeze1.dsc
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.dsc
tremulous_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 660...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated tremulous package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 25 Mar 2012 13:53:09 +0100
Source: tremulous
Binary: tremulous tremulous-server tremulous-doc
Architecture: source i386 all
Version: 1.1.0-7~squeeze1
Distribution: stable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description: 
 tremulous  - Aliens vs Humans, team based FPS game with elements of an RTS
 tremulous-doc - Tremulous documentation
 tremulous-server - Tremulous server
Closes: 660827 660830 660831 660832 660834 660836
Changes: 
 tremulous (1.1.0-7~squeeze1) stable; urgency=low
 .
   * Stable update (#663104), incorporating security fixes from unstable
   * Fix an incorrect bug number in revision -6
 .
 tremulous (1.1.0-7) unstable; urgency=medium
 .
   * Add a lintian override for embedded-library libjpeg (#589407) to avoid
     auto-rejection. It is a valid bug, but is not a regression, and fixing
     several long-standing security vulnerabilities seems more important
     than getting rid of an embedded library that is not known to be
     exploitable.
 .
 tremulous (1.1.0-6) unstable; urgency=medium
 .
   * Backport patches from ioquake3 to fix long-standing security bugs:
     - CVE-2006-2082: arbitrary file download from server by a malicious client
       (Closes: #660831)
     - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
       COM_StripExtension, exploitable in clients of a malicious server
       (Closes: #660827)
     - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
       malicious server (Closes: #660830)
     - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
       server (Closes: #660832)
     - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
       code execution) in clients of a malicious server (Closes: #660834)
     - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
       code execution) in clients of a malicious server if auto-downloading
       is enabled (Closes: #660836)
   * As a precaution, disable auto-downloading
   * Backport ioquake3 r1141 to fix a potential buffer overflow in error
     handling (not known to be exploitable, but it can't hurt)
   * Add gcc attributes to all printf- and scanf-like functions, and
     fix non-literal format strings (again, none are known to be exploitable)
Checksums-Sha1: 
 093c757c268baf294ca21bf5c3134f1b27c63ccd 1886 tremulous_1.1.0-7~squeeze1.dsc
 824556728fc2c6d25e1236aa73cefd20cf798c80 39677 
tremulous_1.1.0-7~squeeze1.debian.tar.gz
 b660cef21e1d446fa3319883c51d3d6b5ef51106 674826 
tremulous_1.1.0-7~squeeze1_i386.deb
 06a0f1fd077587c19793cb35fabf887376087e26 351748 
tremulous-server_1.1.0-7~squeeze1_i386.deb
 b7e0b2fe05cb5c3cbd327d69e8f9397ba51440c4 645994 
tremulous-doc_1.1.0-7~squeeze1_all.deb
Checksums-Sha256: 
 1ee9da033efeb695a4466f6d21750176ac0114ef0f58731d93fe830104e477ed 1886 
tremulous_1.1.0-7~squeeze1.dsc
 d6b0e3e4fe5362e82970d0bc7122485d9ceaf501eb1d842c212bc3811e61c61f 39677 
tremulous_1.1.0-7~squeeze1.debian.tar.gz
 c44056831bce32a472cac71c256642e3b2ea6d98731ef0b374b7f3491e9b93fd 674826 
tremulous_1.1.0-7~squeeze1_i386.deb
 29b9b41418ea60ff11c99758e42a157c7776165f435eae36f9d0d2b240466d8f 351748 
tremulous-server_1.1.0-7~squeeze1_i386.deb
 acb7a04f9648594d97c3a05eb0d71d847425d13b5b9e239e41977fa62313b419 645994 
tremulous-doc_1.1.0-7~squeeze1_all.deb
Files: 
 1aa63c3fa97393579591711e3c9768c9 1886 contrib/games optional 
tremulous_1.1.0-7~squeeze1.dsc
 119bddb6b3b70513798a8c991d22668e 39677 contrib/games optional 
tremulous_1.1.0-7~squeeze1.debian.tar.gz
 b6fa83d46a72a0375642ef689f24239b 674826 contrib/games optional 
tremulous_1.1.0-7~squeeze1_i386.deb
 6909f73b47b0336243e22b5767e95a48 351748 contrib/games optional 
tremulous-server_1.1.0-7~squeeze1_i386.deb
 112bab3c2a43ee9218e1a66d65539b12 645994 contrib/doc optional 
tremulous-doc_1.1.0-7~squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBT29a8k3o/ypjx8yQAQj2ZA/+Mxdi5FUwSyH3uZZM8pwpk2rZdNjmb2tg
ZNhCjH35iscLxb5vWmBXiO/GXI1THcQQCfbh7Ciwznf7azD+vItwxMgz8X8GAcco
M39v4H+uewFkNs+yFFqBJgVGZ5F85ZyNSiCXyZa0kvA9tvXt8Mmte/D39MEiG+JD
JyyDJ6zFcfNNIc9x48pR0Mp/GWt70dxFzv5v4fwRebYcIjczGsUMIk74O+spEx0v
fAcboohekqgJuNToKYjiReFbSKbhzNi1oEC6cXRlxybZLSqdGKUzluttyRsosYqM
KgkbdiWGYMkbd7NObjGuD7HnYA1e8APTAT3lMO4FO1ETjtm3AFbkq7KEkx73cSUs
xCzon+nNy1+M2SM0di59ACTkV/Y9vWD7KJc1kv94Nj9MBzpAS4qwBaK/qGb+vhNw
sXoDO/XEz80Z9T3KyX9r0bineg0LdoW0+JFSqmy+tWD03lybcrNusgJrC5yrQ1S+
GX/27mOUMbWluN/qU0Xk21wgGTKTjC4L9dB91rd5egAtiAlJ0NECWxXkQ5b5bgM2
rgvWD4GXZ0QXCyOWMmJF4vSNvOu691CLDBw9NJWQesqRQuZ8FsbtCBxuDzJHzAe5
kEGGmeIHg/gHJETpO2UyMrQZE9qXWwAwePRl7aKVskETddJT6naPqWj3DhsTAtRS
MUbCK2CKgVE=
=9D44
-----END PGP SIGNATURE-----

--- End Message ---