Luigi Auriemma has reported a vulnerability in Doom 3, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a vulnerable system.
The vulnerability is caused due to a format string error in the Doom 3 engine when displaying certain PunkBuster packets in the game console. This can be exploited via specially crafted "PB_Y" or "PB_U" packets sent to the server.
Successful exploitation may allow execution of arbitrary code but requires that PunkBuster is active on the server.
Host games only in a trusted network environment.
Vulnerable games are games-fps/doom3* and games-fps/quake4*.
"Successful exploitation may allow execution of arbitrary code but requires that PunkBuster is active on the server."
I'm not sure whether this should be B1 or C1.
Games, please advise.
(In reply to comment #1)
> "Successful exploitation may allow execution of arbitrary code but requires
> that PunkBuster is active on the server."
> I'm not sure whether this should be B1 or C1.
AFAICT, disabled by default, but most servers use it, particularly public servers. I recommend B1.
well... kinda old bug
this was masked in the meantime (please leave a comment on bugs if you do so):
# Chris Gianelloni <firstname.lastname@example.org> (3 Mar 2008)
# Masking due to security bug #204067
# If you only play on Punkbuster enabled servers, this is safe to unmask.
So it seems we should have issued a maskglsa for this one, do we still want that?
OK, I updated package.mask to reflect this bug and removed the Punkbuster note, since this bug requires Punkbuster be off, while 204067 requires that it be enabled.
the packages are masked, there is no fix yet, so switching to "enhancement" severity. Please comment on this bug if you have relevant news.
As written in original advisory at http://aluigi.altervista.org/adv/d3engfspb-adv.txt:
UPDATE 4 Oct 2007
Punkbuster has released a new version of the anti-cheat which filters
the % char passed to the vulnerable function used in the Doom 3 engine
for visualizing the strings in the console.
This prevents the exploitation of the bug via Punkbuster.
So bug in Doom 3 engine is no longer exploitable. As the Punkbuster updates itself automatically (see http://www.evenbalance.com/publications/q4-pl/index.htm#updating) I see no reason to keep these games masked.
*** Bug 204067 has been marked as a duplicate of this bug. ***
Maybe it's time to unmask Doom3 and Quake4?