Summary: | games-fps/{quake3,openarena,tremulous}: symlink attack (CVE-2012-3345) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Simon McVittie <smcv> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | minor | CC: | games | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://ioquake3.org/2012/06/14/cve-2012-3345-symlink-attack-in-ioquake3-r1773/ | ||||||||
Whiteboard: | B3 [ebuild] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | |||||||||
Bug Blocks: | 376589 | ||||||||
Attachments: |
|
Description
Simon McVittie
2012-06-12 08:42:23 UTC
Created attachment 315077 [details, diff] [PATCH 1/2] CVE-2012-3345: write ioq3.pid to home path, not temp directory On a multi-user system, an attacker could create a symbolic link /tmp/ioq3.pid pointing to any file owned by a user who plays an ioquake3-based game. When the victim runs ioquake3, the target file will be overwritten and replaced with the process ID of ioquake3. To avoid this, write the pid to the home path (e.g. ~/.q3a on Unix). Signed-off-by: Simon McVittie <smcv@debian.org> Created attachment 315079 [details, diff] [PATCH 2/2] CVE-2012-3345: remove Sys_TempPath() altogether, to avoid misuse Writing to a predictable filename in /tmp is not safe. Signed-off-by: Simon McVittie <smcv@debian.org> --- This patch is not strictly necessary: it is a precaution against undiscovered symlink attacks in versions other than the one inspected. (In reply to comment #0) > release date (tentatively Friday, 18:00 UTC) Release date confirmed by the ioquake3 maintainers. (In reply to comment #3) > Release date confirmed by the ioquake3 maintainers. ... who then announced it a day early by mistake, so please un-embargo this now. Advisory: http://ioquake3.org/2012/06/14/cve-2012-3345-symlink-attack-in-ioquake3-r1773/ Patches: http://ioquake3.org/files/CVE-2012-3345/ or svn r2253 Thank you for the report, Simon. Opening this bug up since it is now public. CVE-2012-3345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3345): ioquake3 before r2253 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/ioq3.pid temporary file. quake3 is at 1.36 which should be unaffected the rest of them need a patch afais The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e2a01c4881b67200d0a43ab7d6f147d6e5ac2aa commit 9e2a01c4881b67200d0a43ab7d6f147d6e5ac2aa Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-12-08 21:29:54 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-12-08 21:29:54 +0000 games-fps/quake3*: drop vulnerable pkgs Closes: https://bugs.gentoo.org/420783 Closes: https://bugs.gentoo.org/606696 Closes: https://bugs.gentoo.org/627236 Signed-off-by: Aaron Bauman <bman@gentoo.org> games-fps/openarena/Manifest | 2 - .../openarena/files/openarena-0.8.8-makefile.patch | 36 ----- .../files/openarena-0.8.8-unbundling.patch | 104 ------------- games-fps/openarena/metadata.xml | 14 -- games-fps/openarena/openarena-0.8.8-r1.ebuild | 85 ----------- games-fps/quake3-alliance/Manifest | 2 - games-fps/quake3-alliance/metadata.xml | 8 - .../quake3-alliance/quake3-alliance-3.3-r1.ebuild | 23 --- games-fps/quake3-alternatefire/Manifest | 1 - games-fps/quake3-alternatefire/files/server.cfg | 109 -------------- games-fps/quake3-alternatefire/metadata.xml | 8 - .../quake3-alternatefire-2.0-r1.ebuild | 17 --- games-fps/quake3-bfp/Manifest | 1 - games-fps/quake3-bfp/metadata.xml | 8 - games-fps/quake3-bfp/quake3-bfp-1.2-r1.ebuild | 17 --- games-fps/quake3-bin/Manifest | 2 - games-fps/quake3-bin/files/q3ded.conf.d | 5 - games-fps/quake3-bin/files/q3ded.rc | 34 ----- games-fps/quake3-bin/metadata.xml | 24 --- games-fps/quake3-bin/quake3-bin-1.32c-r2.ebuild | 105 ------------- games-fps/quake3-cpma/Manifest | 2 - games-fps/quake3-cpma/files/server.cfg | 146 ------------------ games-fps/quake3-cpma/metadata.xml | 37 ----- games-fps/quake3-cpma/quake3-cpma-1.48.ebuild | 26 ---- games-fps/quake3-data/Manifest | 1 - games-fps/quake3-data/metadata.xml | 8 - games-fps/quake3-data/quake3-data-1.32b.ebuild | 54 ------- games-fps/quake3-defrag/Manifest | 13 -- games-fps/quake3-defrag/metadata.xml | 8 - .../quake3-defrag/quake3-defrag-1.91.21.ebuild | 44 ------ games-fps/quake3-demo/Manifest | 1 - games-fps/quake3-demo/metadata.xml | 11 -- games-fps/quake3-demo/quake3-demo-1.11-r1.ebuild | 62 -------- games-fps/quake3-excessiveplus/Manifest | 1 - games-fps/quake3-excessiveplus/metadata.xml | 20 --- .../quake3-excessiveplus-2.3.ebuild | 22 --- games-fps/quake3-lrctf/Manifest | 1 - games-fps/quake3-lrctf/metadata.xml | 8 - games-fps/quake3-lrctf/quake3-lrctf-1.1.ebuild | 16 -- games-fps/quake3-matrix/Manifest | 1 - games-fps/quake3-matrix/metadata.xml | 8 - .../quake3-matrix/quake3-matrix-2.4_beta-r1.ebuild | 22 --- games-fps/quake3-nsco/Manifest | 2 - games-fps/quake3-nsco/files/server.cfg | 97 ------------ games-fps/quake3-nsco/metadata.xml | 29 ---- games-fps/quake3-nsco/quake3-nsco-1.93-r1.ebuild | 22 --- games-fps/quake3-osp/Manifest | 1 - games-fps/quake3-osp/files/server.cfg | 165 --------------------- games-fps/quake3-osp/metadata.xml | 8 - games-fps/quake3-osp/quake3-osp-1.03a-r1.ebuild | 22 --- games-fps/quake3-ra3/Manifest | 1 - games-fps/quake3-ra3/metadata.xml | 8 - games-fps/quake3-ra3/quake3-ra3-1.76-r1.ebuild | 18 --- games-fps/quake3-reaction/Manifest | 2 - games-fps/quake3-reaction/metadata.xml | 8 - .../quake3-reaction/quake3-reaction-3.2.ebuild | 20 --- games-fps/quake3-ruinhunters/Manifest | 2 - games-fps/quake3-ruinhunters/metadata.xml | 8 - .../quake3-ruinhunters-1.0a-r1.ebuild | 22 --- games-fps/quake3-teamarena/Manifest | 1 - games-fps/quake3-teamarena/metadata.xml | 8 - .../quake3-teamarena/quake3-teamarena-1.32b.ebuild | 55 ------- games-fps/quake3-threewave/Manifest | 2 - games-fps/quake3-threewave/metadata.xml | 8 - .../quake3-threewave-1.7-r1.ebuild | 21 --- games-fps/quake3/Manifest | 1 - games-fps/quake3/files/quake3-1.36-bots.patch | 20 --- games-fps/quake3/metadata.xml | 26 ---- games-fps/quake3/quake3-1.36-r1.ebuild | 122 --------------- games-fps/quake3/quake3-9999.ebuild | 137 ----------------- 70 files changed, 1953 deletions(-) |