The function which visualizes the strings on the game's console is vulnerable to a format string vulnerability, something similar to snprintf(buff, 1024, string); Usually this is not a problem since the engine uses some functions and tricks to avoid the visualization of the % char like dropping it or inserting a space between it and the subsequent char. But there is a way for bypassing this limitation with also the better advantages of doing it anonymously and with only one single spoofable UDP packet: Punkbuster. http://aluigi.altervista.org/adv/d3engfspb-adv.txt *All and everything using these engines is affected, a workaround is to use an up to date Punkbuster version. What to do about the issue? Contacting id3? Does a post install warning suffice or should the relevant packages be masked?
See also the advisory for America's Army and America's Army Special Forces: http://aluigi.altervista.org/adv/aaboompb-adv.txt
games please advise.
I'll be checking for patches from upstream, but will likely be masking the affected packages.
I masked doom3-* and quake4-* for this bug. Since it is safe to use these packages if you enable Punkbuster, I'm not sure how you would rate this vulnerability.
(In reply to comment #3) > I'll be checking for patches from upstream Any news on this one? :)
Id typically doesn't do much with security bugs. They tend to only fix them when they're releasing a new patch, anyway, so it is very unlikely that they'll fix this, unless they have a new patch in the works. That being said, I see no reason not to report it to them, if it hasn't already been done. I'm going to look into possibly forcing a Punkbuster update at install time. That, plus a revision bump, should resolve this bug.
Should the package: games-fps/doom3 not also be masked? Is this deliberate or an oversight? (In reply to comment #4) > I masked doom3-* and quake4-* for this bug. Since it is safe to use these > packages if you enable Punkbuster, I'm not sure how you would rate this > vulnerability. >
Created attachment 199083 [details] PunkBuster updater This python script downloads and stores the PunkBuster update files from their website and it defaults to fecthing the files for Quake4, however with the "-d" command line option it will fetch an updated PunkBuster for Doom3.
Created attachment 199084 [details] example for use of the PunkBuster updater example for use of the PunkBuster updater, using games-fps/quake4-bin
Is there any movement on this, or any chance of the packages becoming unmasked?
This is a duplicate of bug #194607. Report at http://secunia.com/advisories/27002/ which #194607 refers to, lists the link from this bug (http://aluigi.altervista.org/adv/d3engfspb-adv.txt) as the original advisory.
Thanks! *** This bug has been marked as a duplicate of bug 194607 ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70055e22603149c4a2efd497d0d9bb3d37d0f107 commit 70055e22603149c4a2efd497d0d9bb3d37d0f107 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-12-08 21:10:50 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-12-08 21:10:50 +0000 games-fps/*: remove last-rited pkgs Bug: https://bugs.gentoo.org/194607 Bug: https://bugs.gentoo.org/204067 Signed-off-by: Aaron Bauman <bman@gentoo.org> games-fps/doom3-cdoom/Manifest | 1 - games-fps/doom3-cdoom/doom3-cdoom-1.3.1.ebuild | 30 ----- games-fps/doom3-cdoom/metadata.xml | 8 -- games-fps/doom3-chextrek/Manifest | 1 - .../doom3-chextrek/doom3-chextrek-0.52.ebuild | 36 ------ games-fps/doom3-chextrek/metadata.xml | 8 -- games-fps/doom3-data/doom3-data-1.1.1282-r1.ebuild | 46 ------- games-fps/doom3-data/metadata.xml | 14 --- games-fps/doom3-demo/Manifest | 2 - games-fps/doom3-demo/doom3-demo-1.1.1286-r1.ebuild | 60 ---------- games-fps/doom3-demo/metadata.xml | 8 -- games-fps/doom3-ducttape/Manifest | 1 - .../doom3-ducttape/doom3-ducttape-0007.ebuild | 35 ------ games-fps/doom3-ducttape/metadata.xml | 8 -- games-fps/doom3-eventhorizon/Manifest | 1 - .../doom3-eventhorizon-1.3.ebuild | 30 ----- games-fps/doom3-eventhorizon/metadata.xml | 8 -- games-fps/doom3-hellcampaign/Manifest | 2 - .../doom3-hellcampaign-1-r1.ebuild | 46 ------- games-fps/doom3-hellcampaign/metadata.xml | 8 -- games-fps/doom3-inhell/Manifest | 1 - games-fps/doom3-inhell/doom3-inhell-1.1-r1.ebuild | 28 ----- games-fps/doom3-inhell/metadata.xml | 8 -- games-fps/doom3-lms/Manifest | 1 - games-fps/doom3-lms/doom3-lms-4.ebuild | 29 ----- games-fps/doom3-lms/metadata.xml | 8 -- games-fps/doom3-mitm/Manifest | 1 - games-fps/doom3-mitm/doom3-mitm-20070129.ebuild | 44 ------- games-fps/doom3-mitm/metadata.xml | 8 -- games-fps/doom3-roe/doom3-roe-1.ebuild | 53 -------- games-fps/doom3-roe/metadata.xml | 16 --- games-fps/doom3/Manifest | 2 - games-fps/doom3/doom3-1.3.1304-r1.ebuild | 99 --------------- games-fps/doom3/metadata.xml | 20 ---- games-fps/quake4-bin/Manifest | 1 - games-fps/quake4-bin/metadata.xml | 25 ---- games-fps/quake4-bin/quake4-bin-1.4.2-r2.ebuild | 133 --------------------- games-fps/quake4-data/metadata.xml | 8 -- .../quake4-data/quake4-data-1.0.2147.12.ebuild | 56 --------- games-fps/quake4-demo/Manifest | 1 - games-fps/quake4-demo/metadata.xml | 24 ---- games-fps/quake4-demo/quake4-demo-1.0-r2.ebuild | 73 ----------- profiles/package.mask | 19 --- 43 files changed, 1011 deletions(-)
