Bug 606698

Summary:	<games-fps/worldofpadman-1.6-r1: Multiple vulnerabilities through embedded ioquake3 engine (CVE-2011-{1412,2764,3012},CVE-2012-3345)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	games
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	376589

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-21 13:25:46 UTC

It is suspected that this package is vulnerable to multiple vulnerabilities (including a remote code execution vulnerability) due to embedded ioquake3 engine. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.

Please see the information contained in the tracker bug 376589 for further details.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-21 13:45:35 UTC

Bug 420783 (CVE-2012-3345) was added to the same tracker.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-03-23 20:42:23 UTC

Validating the source code shows that the embedded Quake3 engine is carrying the latest patches from SVN trunks 2097 and 2098.  The relevant code is seen in the TRACKER bug for each CVE reported.

http://svn.icculus.org/quake3/trunk/code/qcommon/files.c?r1=2098&r2=2097&pathrev=2098

http://svn.icculus.org/quake3/trunk/code/sys/sys_unix.c?r1=2097&r2=2096&pathrev=2097

Given the ancient history here, I am showing <1.6-r1 as vulnerable which indicates the latest ebuild in tree is safe from these CVE's.