Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
openarena/0.8.5-5+squeeze1 fixes #635733, proposed diff attached. On Thu, 28 Jul 2011 at 14:11:47 +0100, Simon McVittie wrote: > ioquake3 1.36+svn1946-4 fixes a security vulnerability. In the stable and > oldstable distributions, the same code is present in the openarena package. > > Mitigation: do not allow auto-downloading, and do not install untrusted mods. > > From the advisory: > > Malicious gamecode can Execute arbitrary code outside of > > Q3 Virtual Machine context > > ======================================== > > > > This bug has been discovered by /dev/humancontroller. > > > > * details > > > > The Quake3 engine uses game-specific code that is provided in a platform > > independent bytecode format. This code has restricted access to > > functionality provided by the engine. It should not be allowed access to > > data outside the VM context. > > Over the course of gameplay, the quake3 engine may dynamically load DLL > > files in certain configurations. For instance, if vm_ui is set to "0" quake3 > > tries to open a DLL file to load the game logic behind the user interface. > > > > Part of the functionality offered to VM logic is the possibility to write to > > files within the quake3 directory. By writing a malicious DLL file, a > > program residing in the VM could trigger the execution of code outside the > > VM > > context. > > To prevent this from happening, ioquake3 introduced a file extension check > > in r1499 which denied writing files with certain names. However, this check > > was broken and corrected in r2098 only. > > > > This security issue has been around for a long time even in the original > > quake3 engine and is not limited to ioquake3. > > It affects a wide range of commercial games as well. It is only exploitable > > if a user installs 3rd party addons from untrusted sources. > > Quake3 was never really designed to be secure against malicious 3rd party > > content, and probably isn't even in latest revisions of ioquake3. So > > downloading of untrusted content is still discouraged. > > > > * CVE > > > > CVE-2011-2764 has been assigned for this issue. > > > > * severity > > > > medium > > > > * affected OS > > > > All OS with dynamic linker > > > > * games affected > > > > All games using the quake3 engine > > > > * workaround > > > > Don't download and install untrusted addons. Set cl_allowdownload to 0 > > > > * patches > > > > Several distributors have already been contacted and have prepared patches > > for their distributions. > > A sourcecode patch can be got here: > > > > http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff
diff --git a/debian/changelog b/debian/changelog index df2dd86..bb1de52 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +openarena (0.8.5-5+squeeze1) stable; urgency=medium + + * Apply upstream r2098 to fix arbitrary code execution by malicious QVM + bytecode, which could be auto-downloaded from a malicious server + if enabled. CVE-2011-2764 (Closes: #635733) + + -- Simon McVittie <[email protected]> Thu, 28 Jul 2011 14:22:31 +0100 + openarena (0.8.5-5) unstable; urgency=medium * Add patch (already upstream as oax r239) to fix a crash if a non-client diff --git a/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch new file mode 100644 index 0000000..8f6dc9a --- /dev/null +++ b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch @@ -0,0 +1,77 @@ +From: Thilo Schulz <thilo> +Date: Sun, 24 Jul 2011 22:12:21 +0000 +Subject: Fix extension name comparison for DLL files + +[This might make it possible for gamecode to write out a malicious DLL file +which would be executed if vm_game = 0. Present in r1499, so v1.36 was +already vulnerable. This is a backport to r1759 -smcv] + +Origin: upstream, commit:2098 +Applied-upstream: 1.37 +Bug-CVE: CVE-2011-2764 +--- + engine/code/qcommon/files.c | 2 +- + engine/code/qcommon/q_shared.c | 24 ++++++++++++++++++++++++ + engine/code/qcommon/q_shared.h | 1 + + 3 files changed, 26 insertions(+), 1 deletions(-) + +diff --git a/engine/code/qcommon/files.c b/engine/code/qcommon/files.c +index 5fca431..e343554 100644 +--- a/engine/code/qcommon/files.c ++++ b/engine/code/qcommon/files.c +@@ -530,7 +530,7 @@ static void FS_CheckFilenameIsNotExecutable( const char *filename, + const char *function ) + { + // Check if the filename ends with the library extension +- if( !Q_stricmp( COM_GetExtension( filename ), DLL_EXT ) ) ++ if(COM_CompareExtension(filename, DLL_EXT)) + { + Com_Error( ERR_FATAL, "%s: Not allowed to manipulate '%s' due " + "to %s extension\n", function, filename, DLL_EXT ); +diff --git a/engine/code/qcommon/q_shared.c b/engine/code/qcommon/q_shared.c +index 550d100..50d4479 100644 +--- a/engine/code/qcommon/q_shared.c ++++ b/engine/code/qcommon/q_shared.c +@@ -96,6 +96,30 @@ void COM_StripExtension( const char *in, char *out, int destsize ) { + out[length] = 0; + } + ++/* ++============ ++COM_CompareExtension ++ ++string compare the end of the strings and return qtrue if strings match ++============ ++*/ ++qboolean COM_CompareExtension(const char *in, const char *ext) ++{ ++ int inlen, extlen; ++ ++ inlen = strlen(in); ++ extlen = strlen(ext); ++ ++ if(extlen <= inlen) ++ { ++ in += inlen - extlen; ++ ++ if(!Q_stricmp(in, ext)) ++ return qtrue; ++ } ++ ++ return qfalse; ++} + + /* + ================== +diff --git a/engine/code/qcommon/q_shared.h b/engine/code/qcommon/q_shared.h +index e2f9f01..b2ee019 100644 +--- a/engine/code/qcommon/q_shared.h ++++ b/engine/code/qcommon/q_shared.h +@@ -623,6 +623,7 @@ float Com_Clamp( float min, float max, float value ); + char *COM_SkipPath( char *pathname ); + const char *COM_GetExtension( const char *name ); + void COM_StripExtension(const char *in, char *out, int destsize); ++qboolean COM_CompareExtension(const char *in, const char *ext); + void COM_DefaultExtension( char *path, int maxSize, const char *extension ); + + void COM_BeginParseSession( const char *name ); diff --git a/debian/patches/series b/debian/patches/series index 9a9f298..b23fbea 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +0001-Fix-extension-name-comparison-for-DLL-files.patch 0001-OpenArena-branding-change-SDL-window-Quake-3-icon-to.patch 0002-Use-OpenArena-directory-names-in-HOME-on-Unix-Window.patch 0003-Replace-the-conditionalized-hard-coded-names-in-q_sh.patch
