tremulous-server: CVE-2006-2082 arbitrary file download from server

Debian Bug report logs - #660831
tremulous-server: CVE-2006-2082 arbitrary file download from server

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tremulous-server: CVE-2006-2082 arbitrary file download from server

Date: Wed, 22 Feb 2012 08:49:58 +0000

Package: tremulous-server
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole

CVE-2006-2082 is a directory traversal vulnerability in the Quake 3 engine.
When the sv_allowDownload cvar is enabled, players can download .pk3 files
required by the server; due to missing checks, remote attackers can use this
feature to read arbitrary files from the server via ".." sequences in a
download request.

Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.

The files are read with the privileges of the server, typically the
"tremulous-server" uid. This bug also affects "listen servers" (those where
a player hosts the server and plays the game in the same process), started
via the GUI of the tremulous package; in this case, files are read with
the privileges of the user.

The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r777. Debian's ioquake3 package is not vulnerable.

Message #10 received at 660831-done@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 660831-done@bugs.debian.org, 660827-done@bugs.debian.org, 660830-done@bugs.debian.org, 660832-done@bugs.debian.org, 660834-done@bugs.debian.org, 660836-done@bugs.debian.org

Subject: Re: Bug#660827: tremulous: CVE-2006-2236 ("the remapShader exploit") can lead to arbitrary code execution

Date: Wed, 22 Feb 2012 10:31:07 +0000

Version: 1.1.0-7

tremulous (1.1.0-6) unstable; urgency=medium

  * Backport patches from ioquake3 to fix long-standing security bugs:
    - CVE-2006-2082: arbitrary file download from server by a malicious
client
      (Closes: #660831)
    - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
      COM_StripExtension, exploitable in clients of a malicious server
      (Closes: #660827)
    - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
      malicious server (Closes: #660830)
    - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
      server (Closes: #660832)
    - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
      code execution) in clients of a malicious server (Closes: #660834)
    - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
      code execution) in clients of a malicious server if auto-downloading
      is enabled (Closes: #660836)
  * As a precaution, disable auto-downloading
  * Backport ioquake3 r1141 to fix a potential buffer overflow in error
    handling (not known to be exploitable, but it can't hurt)
  * Add gcc attributes to all printf- and scanf-like functions, and
    fix non-literal format strings (again, none are known to be exploitable)

 -- Simon McVittie <smcv@debian.org>  Wed, 22 Feb 2012 09:07:37 +0000

Message #15 received at 660831-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 660831-close@bugs.debian.org

Subject: Bug#660831: fixed in tremulous 1.1.0-7~squeeze1

Date: Mon, 26 Mar 2012 18:33:04 +0000

Source: tremulous
Source-Version: 1.1.0-7~squeeze1

We believe that the bug you reported is fixed in the latest version of
tremulous, which is due to be installed in the Debian FTP archive:

tremulous-doc_1.1.0-7~squeeze1_all.deb
  to contrib/t/tremulous/tremulous-doc_1.1.0-7~squeeze1_all.deb
tremulous-server_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous-server_1.1.0-7~squeeze1_i386.deb
tremulous_1.1.0-7~squeeze1.debian.tar.gz
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.debian.tar.gz
tremulous_1.1.0-7~squeeze1.dsc
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.dsc
tremulous_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 660831@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated tremulous package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 25 Mar 2012 13:53:09 +0100
Source: tremulous
Binary: tremulous tremulous-server tremulous-doc
Architecture: source i386 all
Version: 1.1.0-7~squeeze1
Distribution: stable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 tremulous  - Aliens vs Humans, team based FPS game with elements of an RTS
 tremulous-doc - Tremulous documentation
 tremulous-server - Tremulous server
Closes: 660827 660830 660831 660832 660834 660836
Changes: 
 tremulous (1.1.0-7~squeeze1) stable; urgency=low
 .
   * Stable update (#663104), incorporating security fixes from unstable
   * Fix an incorrect bug number in revision -6
 .
 tremulous (1.1.0-7) unstable; urgency=medium
 .
   * Add a lintian override for embedded-library libjpeg (#589407) to avoid
     auto-rejection. It is a valid bug, but is not a regression, and fixing
     several long-standing security vulnerabilities seems more important
     than getting rid of an embedded library that is not known to be
     exploitable.
 .
 tremulous (1.1.0-6) unstable; urgency=medium
 .
   * Backport patches from ioquake3 to fix long-standing security bugs:
     - CVE-2006-2082: arbitrary file download from server by a malicious client
       (Closes: #660831)
     - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
       COM_StripExtension, exploitable in clients of a malicious server
       (Closes: #660827)
     - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
       malicious server (Closes: #660830)
     - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
       server (Closes: #660832)
     - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
       code execution) in clients of a malicious server (Closes: #660834)
     - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
       code execution) in clients of a malicious server if auto-downloading
       is enabled (Closes: #660836)
   * As a precaution, disable auto-downloading
   * Backport ioquake3 r1141 to fix a potential buffer overflow in error
     handling (not known to be exploitable, but it can't hurt)
   * Add gcc attributes to all printf- and scanf-like functions, and
     fix non-literal format strings (again, none are known to be exploitable)
Checksums-Sha1: 
 093c757c268baf294ca21bf5c3134f1b27c63ccd 1886 tremulous_1.1.0-7~squeeze1.dsc
 824556728fc2c6d25e1236aa73cefd20cf798c80 39677 tremulous_1.1.0-7~squeeze1.debian.tar.gz
 b660cef21e1d446fa3319883c51d3d6b5ef51106 674826 tremulous_1.1.0-7~squeeze1_i386.deb
 06a0f1fd077587c19793cb35fabf887376087e26 351748 tremulous-server_1.1.0-7~squeeze1_i386.deb
 b7e0b2fe05cb5c3cbd327d69e8f9397ba51440c4 645994 tremulous-doc_1.1.0-7~squeeze1_all.deb
Checksums-Sha256: 
 1ee9da033efeb695a4466f6d21750176ac0114ef0f58731d93fe830104e477ed 1886 tremulous_1.1.0-7~squeeze1.dsc
 d6b0e3e4fe5362e82970d0bc7122485d9ceaf501eb1d842c212bc3811e61c61f 39677 tremulous_1.1.0-7~squeeze1.debian.tar.gz
 c44056831bce32a472cac71c256642e3b2ea6d98731ef0b374b7f3491e9b93fd 674826 tremulous_1.1.0-7~squeeze1_i386.deb
 29b9b41418ea60ff11c99758e42a157c7776165f435eae36f9d0d2b240466d8f 351748 tremulous-server_1.1.0-7~squeeze1_i386.deb
 acb7a04f9648594d97c3a05eb0d71d847425d13b5b9e239e41977fa62313b419 645994 tremulous-doc_1.1.0-7~squeeze1_all.deb
Files: 
 1aa63c3fa97393579591711e3c9768c9 1886 contrib/games optional tremulous_1.1.0-7~squeeze1.dsc
 119bddb6b3b70513798a8c991d22668e 39677 contrib/games optional tremulous_1.1.0-7~squeeze1.debian.tar.gz
 b6fa83d46a72a0375642ef689f24239b 674826 contrib/games optional tremulous_1.1.0-7~squeeze1_i386.deb
 6909f73b47b0336243e22b5767e95a48 351748 contrib/games optional tremulous-server_1.1.0-7~squeeze1_i386.deb
 112bab3c2a43ee9218e1a66d65539b12 645994 contrib/doc optional tremulous-doc_1.1.0-7~squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBT29a8k3o/ypjx8yQAQj2ZA/+Mxdi5FUwSyH3uZZM8pwpk2rZdNjmb2tg
ZNhCjH35iscLxb5vWmBXiO/GXI1THcQQCfbh7Ciwznf7azD+vItwxMgz8X8GAcco
M39v4H+uewFkNs+yFFqBJgVGZ5F85ZyNSiCXyZa0kvA9tvXt8Mmte/D39MEiG+JD
JyyDJ6zFcfNNIc9x48pR0Mp/GWt70dxFzv5v4fwRebYcIjczGsUMIk74O+spEx0v
fAcboohekqgJuNToKYjiReFbSKbhzNi1oEC6cXRlxybZLSqdGKUzluttyRsosYqM
KgkbdiWGYMkbd7NObjGuD7HnYA1e8APTAT3lMO4FO1ETjtm3AFbkq7KEkx73cSUs
xCzon+nNy1+M2SM0di59ACTkV/Y9vWD7KJc1kv94Nj9MBzpAS4qwBaK/qGb+vhNw
sXoDO/XEz80Z9T3KyX9r0bineg0LdoW0+JFSqmy+tWD03lybcrNusgJrC5yrQ1S+
GX/27mOUMbWluN/qU0Xk21wgGTKTjC4L9dB91rd5egAtiAlJ0NECWxXkQ5b5bgM2
rgvWD4GXZ0QXCyOWMmJF4vSNvOu691CLDBw9NJWQesqRQuZ8FsbtCBxuDzJHzAe5
kEGGmeIHg/gHJETpO2UyMrQZE9qXWwAwePRl7aKVskETddJT6naPqWj3DhsTAtRS
MUbCK2CKgVE=
=9D44
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.