Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 194607 - games-fps/{doom3,quake4}* Engine Format String Vulnerability (CVE-2007-5248)
Summary: games-fps/{doom3,quake4}* Engine Format String Vulnerability (CVE-2007-5248)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major with 3 votes (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27002/
Whiteboard: B1 [noglsa]
Keywords:
: 204067 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-10-03 13:45 UTC by Tobias Heinlein (RETIRED)
Modified: 2017-07-05 15:02 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-03 13:45:05 UTC
Luigi Auriemma has reported a vulnerability in Doom 3, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a vulnerable system.

The vulnerability is caused due to a format string error in the Doom 3 engine when displaying certain PunkBuster packets in the game console. This can be exploited via specially crafted "PB_Y" or "PB_U" packets sent to the server.

Successful exploitation may allow execution of arbitrary code but requires that PunkBuster is active on the server.

Solution:
Host games only in a trusted network environment.


Vulnerable games are games-fps/doom3* and games-fps/quake4*.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-03 13:49:21 UTC
"Successful exploitation may allow execution of arbitrary code but requires that PunkBuster is active on the server."
I'm not sure whether this should be B1 or C1.

Games, please advise.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-04 09:41:01 UTC
(In reply to comment #1)
> "Successful exploitation may allow execution of arbitrary code but requires
> that PunkBuster is active on the server."
> I'm not sure whether this should be B1 or C1.

AFAICT, disabled by default, but most servers use it, particularly public servers. I recommend B1.
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-10 19:52:40 UTC
well... kinda old bug

this was masked in the meantime (please leave a comment on bugs if you do so):

# Chris Gianelloni <wolf31o2@gentoo.org> (3 Mar 2008)
# Masking due to security bug #204067
# If you only play on Punkbuster enabled servers, this is safe to unmask.


So it seems we should have issued a maskglsa for this one, do we still want that?
Comment 4 Chris Gianelloni (RETIRED) gentoo-dev 2008-04-11 14:56:37 UTC
OK, I updated package.mask to reflect this bug and removed the Punkbuster note, since this bug requires Punkbuster be off, while 204067 requires that it be enabled.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-01-11 17:22:59 UTC
the packages are masked, there is no fix yet, so switching to "enhancement" severity. Please comment on this bug if you have relevant news.
Comment 6 Róbert Čerňanský 2010-09-25 14:00:32 UTC
As written in original advisory at http://aluigi.altervista.org/adv/d3engfspb-adv.txt:

------------------------------
UPDATE 4 Oct 2007
Punkbuster has released a new version of the anti-cheat which filters
the % char passed to the vulnerable function used in the Doom 3 engine
for visualizing the strings in the console.
This prevents the exploitation of the bug via Punkbuster.
------------------------------

So bug in Doom 3 engine is no longer exploitable.  As the Punkbuster updates itself automatically (see http://www.evenbalance.com/publications/q4-pl/index.htm#updating) I see no reason to keep these games masked.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-07 22:23:11 UTC
*** Bug 204067 has been marked as a duplicate of this bug. ***
Comment 8 Adomas Jackevičius 2011-05-04 21:46:25 UTC
Maybe it's time to unmask Doom3 and Quake4?