The function which visualizes the strings on the game's console is
vulnerable to a format string vulnerability, something similar to
snprintf(buff, 1024, string);
Usually this is not a problem since the engine uses some functions and
tricks to avoid the visualization of the % char like dropping it or
inserting a space between it and the subsequent char.
But there is a way for bypassing this limitation with also the better
advantages of doing it anonymously and with only one single spoofable
UDP packet: Punkbuster.
*All and everything using these engines is affected, a workaround is to use an up to date Punkbuster version. What to do about the issue? Contacting id3? Does a post install warning suffice or should the relevant packages be masked?
See also the advisory for America's Army and America's Army Special Forces:
games please advise.
I'll be checking for patches from upstream, but will likely be masking the affected packages.
I masked doom3-* and quake4-* for this bug. Since it is safe to use these packages if you enable Punkbuster, I'm not sure how you would rate this vulnerability.
(In reply to comment #3)
> I'll be checking for patches from upstream
Any news on this one? :)
Id typically doesn't do much with security bugs. They tend to only fix them when they're releasing a new patch, anyway, so it is very unlikely that they'll fix this, unless they have a new patch in the works. That being said, I see no reason not to report it to them, if it hasn't already been done.
I'm going to look into possibly forcing a Punkbuster update at install time. That, plus a revision bump, should resolve this bug.
Should the package:
not also be masked? Is this deliberate or an oversight?
(In reply to comment #4)
> I masked doom3-* and quake4-* for this bug. Since it is safe to use these
> packages if you enable Punkbuster, I'm not sure how you would rate this
Created attachment 199083 [details]
This python script downloads and stores the PunkBuster update files from their website and
it defaults to fecthing the files for Quake4, however with the "-d" command line option it will
fetch an updated PunkBuster for Doom3.
Created attachment 199084 [details]
example for use of the PunkBuster updater
example for use of the PunkBuster updater,
Is there any movement on this, or any chance of the packages becoming unmasked?
This is a duplicate of bug #194607. Report at http://secunia.com/advisories/27002/ which #194607 refers to, lists the link from this bug (http://aluigi.altervista.org/adv/d3engfspb-adv.txt) as the original advisory.
*** This bug has been marked as a duplicate of bug 194607 ***