Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204067 - games-fps/{doom3,quake4} * - remote exploitable format string vulnerability
Summary: games-fps/{doom3,quake4} * - remote exploitable format string vulnerability
Status: RESOLVED DUPLICATE of bug 194607
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-02 15:33 UTC by Carsten Lohrke (RETIRED)
Modified: 2010-10-07 22:23 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
PunkBuster updater (pbupdate.py,2.54 KB, text/plain)
2009-07-25 08:37 UTC, René Kjellerup
no flags Details
example for use of the PunkBuster updater (quake4-bin-1.3.2-r1.ebuild,3.17 KB, text/plain)
2009-07-25 08:42 UTC, René Kjellerup
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2008-01-02 15:33:15 UTC
The function which visualizes the strings on the game's console is
vulnerable to a format string vulnerability, something similar to
snprintf(buff, 1024, string);
Usually this is not a problem since the engine uses some functions and
tricks to avoid the visualization of the % char like dropping it or
inserting a space between it and the subsequent char.

But there is a way for bypassing this limitation with also the better
advantages of doing it anonymously and with only one single spoofable
UDP packet: Punkbuster.

http://aluigi.altervista.org/adv/d3engfspb-adv.txt


*All and everything using these engines is affected, a workaround is to use an up to date Punkbuster version. What to do about the issue? Contacting id3? Does a post install warning suffice or should the relevant packages be masked?
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2008-01-02 15:35:49 UTC
See also the advisory for America's Army and America's Army Special Forces:

http://aluigi.altervista.org/adv/aaboompb-adv.txt
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-26 20:52:09 UTC
games please advise.
Comment 3 Chris Gianelloni (RETIRED) gentoo-dev 2008-02-27 16:03:05 UTC
I'll be checking for patches from upstream, but will likely be masking the affected packages.
Comment 4 Chris Gianelloni (RETIRED) gentoo-dev 2008-03-04 03:20:41 UTC
I masked doom3-* and quake4-* for this bug.  Since it is safe to use these packages if you enable Punkbuster, I'm not sure how you would rate this vulnerability.
Comment 5 Wolfram Schlich (RETIRED) gentoo-dev 2008-04-06 17:43:52 UTC
(In reply to comment #3)
> I'll be checking for patches from upstream

Any news on this one? :)
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2008-04-11 15:01:41 UTC
Id typically doesn't do much with security bugs.  They tend to only fix them when they're releasing a new patch, anyway, so it is very unlikely that they'll fix this, unless they have a new patch in the works.  That being said, I see no reason not to report it to them, if it hasn't already been done.

I'm going to look into possibly forcing a Punkbuster update at install time.  That, plus a revision bump, should resolve this bug.
Comment 7 Richard 2008-10-03 11:51:18 UTC
Should the package:
games-fps/doom3
not also be masked? Is this deliberate or an oversight?

(In reply to comment #4)
> I masked doom3-* and quake4-* for this bug.  Since it is safe to use these
> packages if you enable Punkbuster, I'm not sure how you would rate this
> vulnerability.
> 

Comment 8 René Kjellerup 2009-07-25 08:37:32 UTC
Created attachment 199083 [details]
PunkBuster updater

This python script downloads and stores the PunkBuster update files from their website and 
it defaults to fecthing the files for Quake4, however with the "-d" command line option it will
fetch an updated PunkBuster for Doom3.
Comment 9 René Kjellerup 2009-07-25 08:42:50 UTC
Created attachment 199084 [details]
example for use of the PunkBuster updater

example for use of the PunkBuster updater,
using games-fps/quake4-bin
Comment 10 Phil Rigby 2009-10-18 04:47:16 UTC
Is there any movement on this, or any chance of the packages becoming unmasked?
Comment 11 Róbert Čerňanský 2010-09-25 13:47:50 UTC
This is a duplicate of bug #194607.  Report at http://secunia.com/advisories/27002/ which #194607 refers to, lists the link from this bug (http://aluigi.altervista.org/adv/d3engfspb-adv.txt) as the original advisory.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-07 22:23:11 UTC
Thanks!

*** This bug has been marked as a duplicate of bug 194607 ***