Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 132377

Summary: games-fps/quake3-*: Quake 3 Engine "remapShader" Command Buffer Overflow
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: games, l.mierzwa, polynomial-c
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/19984/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-05 13:32:04 UTC 
http://secunia.com/advisories/19984/

Description:
landser has reported a vulnerability in Quake 3 Engine, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the handling of the "remapShader" command. This can be exploited to cause a buffer overflow via specially crafted "remapShader" commands sent to a client.

Successful exploitation may allow arbitrary code execution, but requires that the user is e.g. tricked into connecting to a malicious game server.

The vulnerability has been reported in the following software:
* ET 2.60.
* Return to Castle Wolfenstein 1.41.
* Quake III Arena 1.32b.

Other versions may also be affected.

Solution:
Do not connect to non-trusted game servers.

Provided and/or discovered by:
landser

Original Advisory:
http://www.milw0rm.com/exploits/1750
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2006-05-06 05:36:46 UTC 
Affects also Enemy Territory according to heise.de.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-06 05:49:49 UTC 
right

can we group games-fps/enemy-territory* and games-fps/quake3* into this unique bug ?
Comment 3 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-07 07:24:56 UTC 
Well, since it looks like we won't be getting updated versions of these, I'm going to try to see if there's any unofficial patches which resovle this bug, then mask, if not.
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2006-05-08 02:11:09 UTC 
http://thilo.kickchat.com/patches/quake3-1.32b-remapshader-fix.diff
Comment 5 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-08 13:40:24 UTC 
http://www.bluesnews.com/plans/476/

Even better... id Software has released new versions of all of these binaries.  I'll be creating some new ebuilds this evening for them all.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-08 13:50:53 UTC 
Thanks Chris
Comment 7 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-09 06:33:53 UTC 
*** Bug 132781 has been marked as a duplicate of this bug. ***
Comment 8 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-09 07:24:29 UTC 
These are all in the tree now:

enemy-territory 2.60b
quake3-bin 1.32c
rtcw 1.41b

They are already tested and marked stable on x86 and amd64.  The older versions have been masked, and will probably stay that way for a few days.  Everything should be ready for a GLSA now.  =]
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-05-09 09:37:19 UTC 
Yep, thx
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-09 22:39:26 UTC 
GLSA-200605-12 , thanks jaervosz