Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 222119

Summary: games-fps/tremulous < 1.1.0-r2 Q3 Engine "remapShader" Command Buffer Overflow
Product: Gentoo Security Reporter: Víctor Ostorga (RETIRED) <vostorga>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: caluml, games, jaak, johnmon2, next_ghost, peter, zl29ah
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://tremulous.net/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
ebuild of tremulous 1.1.0-r5 with 64 bit support
none
Don't compile game libraries because they're not used
none
Now with debugging support. none

Description Víctor Ostorga (RETIRED) gentoo-dev 2008-05-14 18:06:31 UTC
I found this ebuild on http://www.trem-servers.com/ which adds support for 64 bit machines.
I have been testing it and have no complains about it.

The original link to the ebuild is http://dl.trem-servers.com/tremulous-1.1.0-r5.ebuild
Comment 1 Víctor Ostorga (RETIRED) gentoo-dev 2008-05-14 18:08:19 UTC
Created attachment 153143 [details]
ebuild of tremulous 1.1.0-r5 with 64 bit support
Comment 2 Martin Doucha 2008-07-05 10:42:35 UTC
*** Bug 147302 has been marked as a duplicate of this bug. ***
Comment 3 Martin Doucha 2008-07-05 12:48:51 UTC
Created attachment 159624 [details]
Don't compile game libraries because they're not used

Current Tremulous version in Portage has several security issues - bug 132377 (remapShader command buffer overflow) and multiple server DoS weaknesses. This update fixes all of them and adds some new features (fast downloads using libcurl, new server and client side game features etc.).

This updated ebuild disables compilation of game QVM libraries because they're not used. Most servers require use of precompiled QVM libraries which are included in the source zip file.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-07-06 21:36:13 UTC
Martin, thank you for the comment. Can you base your statement about security with an advisory, upstream channgelog or code analysis?
Comment 5 Martin Doucha 2008-07-07 09:47:46 UTC
Yes, remapShader vulnerability has been fixed in ioQuake3 engine on revision 765 (http://svn.icculus.org/quake3?view=rev&revision=765). The fix has been merged to Tremulous on revision 778 (http://svn.icculus.org/tremulous?view=rev&revision=778). Current Tremulous version in Gentoo is based on revision 755 with no feature/bug patches which means it's still affected. For further detail, compare src/renderer/tr_shader.c from Tremulous source package on Gentoo mirrors with tr_shader.c from SVN revisions 755 and 778.
Comment 6 Jaak Ristioja 2008-07-12 11:51:58 UTC
Any chance of the most recent ebuild getting into portage and obsoleting the vulnerable ones? Thanks.
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2008-07-12 12:36:31 UTC
Re-assigning to security as this should probably be handled like another vulnerability.
Comment 8 Jaak Ristioja 2008-07-12 20:34:29 UTC
Created attachment 160215 [details]
Now with debugging support.

Added USE=debug support.
Comment 9 Tomas Hoger 2008-07-15 16:47:43 UTC
remapShader issue seems to be CVE-2006-2236.  So other quake3 CVEs may apply as well, see also: https://bugzilla.redhat.com/show_bug.cgi?id=455458
Comment 10 Martin Doucha 2008-07-15 18:35:15 UTC
(In reply to comment #9)
> remapShader issue seems to be CVE-2006-2236.  So other quake3 CVEs may apply as
> well, see also: https://bugzilla.redhat.com/show_bug.cgi?id=455458
> 

The updated ebuild is based on Tremulous SVN revision 971 which is based on ioQuake3 SVN revision 1133. CVEs listed in the link above are all fixed in this revision.
Comment 11 Martin Doucha 2008-08-02 11:11:50 UTC
Hello?! Are you going to fix it already or are you going to leave the security hole open for another 2 years?
Comment 12 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-17 19:07:09 UTC
As there is no new release and we have to rely on patching, this mainly means that we have to get rid of games-fps/tremulous-bin (which has no stable versions anyway).
Trying to get some action into this...
Comment 13 Mr. Bones. (RETIRED) gentoo-dev 2008-08-17 19:33:25 UTC
I masked both packages until it's fixed in portage.
Comment 14 Martin Doucha 2008-08-17 19:57:44 UTC
I think tremulous-bin was around for amd64 users because tremulous-1.1.0 compiled on amd64 was incredibly slow (QVM bytecode compiler was not available at the time so the QVM code was interpreted instead). This ebuild has full support for amd64 so tremulous-bin is not needed anymore.
Comment 15 Le retraité 2008-08-19 20:44:18 UTC
the ebuild from trem-servers also includes the 971 patch (and so fixes the security issue right ?), maybe it should be pushed in portage, shouldn't it ?
Comment 16 Le retraité 2008-08-20 07:40:40 UTC
@Mr Bones
You have globally masked tremulous and tremulous-bin, maybe you should just mask >=tremulous-1.1.0-r1 and >=tremulous-bin-1.1.0, so people who want to have a fixed version (like tremulous-1.1.0-r5 here) in their local portage overlay won't have to unmask it.
Comment 17 Tristan Heaven (RETIRED) gentoo-dev 2008-09-07 14:40:45 UTC
Patches are in 1.1.0-r2
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-09-08 14:38:00 UTC
Arches, please test and mark stable:
=games-fps/tremulous-1.1.0-r2
Target keywords : "amd64 ppc x86"
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-08 20:29:10 UTC
amd64 stable
Comment 20 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-16 15:07:59 UTC
What about -bin, is comment #14 right? In that case it could be punted from the tree, I think.
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-16 17:48:40 UTC
ppc stable
Comment 22 Mr. Bones. (RETIRED) gentoo-dev 2008-09-16 19:57:13 UTC
tremulous-bin is gone.
Comment 23 Markus Meier gentoo-dev 2008-09-17 20:21:50 UTC
x86 stable, all arches done
Comment 24 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-17 20:24:29 UTC
If we agree on B1, then this needs a GLSA, including a notice about -bin removal.
Comment 25 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-13 16:43:58 UTC
GLSA request filed by keytoaster.
Comment 26 Róbert Čerňanský 2008-10-25 18:31:03 UTC
All versions of games-fps/tremulous are still masked. Shouldn't the 1.1.0-r2 be unmasked already?
Comment 27 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 18:53:15 UTC
GLSA 200901-06