Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222119 - games-fps/tremulous < 1.1.0-r2 Q3 Engine "remapShader" Command Buffer Overflow
Summary: games-fps/tremulous < 1.1.0-r2 Q3 Engine "remapShader" Command Buffer Overflow
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 147302 (view as bug list)
Depends on:
Reported: 2008-05-14 18:06 UTC by Víctor Ostorga (RETIRED)
Modified: 2009-01-11 18:53 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---

ebuild of tremulous 1.1.0-r5 with 64 bit support (tremulous-1.1.0-r5.ebuild,2.80 KB, text/plain)
2008-05-14 18:08 UTC, Víctor Ostorga (RETIRED)
no flags Details
Don't compile game libraries because they're not used (tremulous-1.1.0-r2.ebuild,2.83 KB, text/plain)
2008-07-05 12:48 UTC, Martin Doucha
no flags Details
Now with debugging support. (tremulous-1.1.0-r2.ebuild,3.32 KB, text/plain)
2008-07-12 20:34 UTC, Jaak Ristioja
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Víctor Ostorga (RETIRED) gentoo-dev 2008-05-14 18:06:31 UTC
I found this ebuild on which adds support for 64 bit machines.
I have been testing it and have no complains about it.

The original link to the ebuild is
Comment 1 Víctor Ostorga (RETIRED) gentoo-dev 2008-05-14 18:08:19 UTC
Created attachment 153143 [details]
ebuild of tremulous 1.1.0-r5 with 64 bit support
Comment 2 Martin Doucha 2008-07-05 10:42:35 UTC
*** Bug 147302 has been marked as a duplicate of this bug. ***
Comment 3 Martin Doucha 2008-07-05 12:48:51 UTC
Created attachment 159624 [details]
Don't compile game libraries because they're not used

Current Tremulous version in Portage has several security issues - bug 132377 (remapShader command buffer overflow) and multiple server DoS weaknesses. This update fixes all of them and adds some new features (fast downloads using libcurl, new server and client side game features etc.).

This updated ebuild disables compilation of game QVM libraries because they're not used. Most servers require use of precompiled QVM libraries which are included in the source zip file.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-07-06 21:36:13 UTC
Martin, thank you for the comment. Can you base your statement about security with an advisory, upstream channgelog or code analysis?
Comment 5 Martin Doucha 2008-07-07 09:47:46 UTC
Yes, remapShader vulnerability has been fixed in ioQuake3 engine on revision 765 ( The fix has been merged to Tremulous on revision 778 ( Current Tremulous version in Gentoo is based on revision 755 with no feature/bug patches which means it's still affected. For further detail, compare src/renderer/tr_shader.c from Tremulous source package on Gentoo mirrors with tr_shader.c from SVN revisions 755 and 778.
Comment 6 Jaak Ristioja 2008-07-12 11:51:58 UTC
Any chance of the most recent ebuild getting into portage and obsoleting the vulnerable ones? Thanks.
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2008-07-12 12:36:31 UTC
Re-assigning to security as this should probably be handled like another vulnerability.
Comment 8 Jaak Ristioja 2008-07-12 20:34:29 UTC
Created attachment 160215 [details]
Now with debugging support.

Added USE=debug support.
Comment 9 Tomas Hoger 2008-07-15 16:47:43 UTC
remapShader issue seems to be CVE-2006-2236.  So other quake3 CVEs may apply as well, see also:
Comment 10 Martin Doucha 2008-07-15 18:35:15 UTC
(In reply to comment #9)
> remapShader issue seems to be CVE-2006-2236.  So other quake3 CVEs may apply as
> well, see also:

The updated ebuild is based on Tremulous SVN revision 971 which is based on ioQuake3 SVN revision 1133. CVEs listed in the link above are all fixed in this revision.
Comment 11 Martin Doucha 2008-08-02 11:11:50 UTC
Hello?! Are you going to fix it already or are you going to leave the security hole open for another 2 years?
Comment 12 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-17 19:07:09 UTC
As there is no new release and we have to rely on patching, this mainly means that we have to get rid of games-fps/tremulous-bin (which has no stable versions anyway).
Trying to get some action into this...
Comment 13 Mr. Bones. (RETIRED) gentoo-dev 2008-08-17 19:33:25 UTC
I masked both packages until it's fixed in portage.
Comment 14 Martin Doucha 2008-08-17 19:57:44 UTC
I think tremulous-bin was around for amd64 users because tremulous-1.1.0 compiled on amd64 was incredibly slow (QVM bytecode compiler was not available at the time so the QVM code was interpreted instead). This ebuild has full support for amd64 so tremulous-bin is not needed anymore.
Comment 15 Le retraité 2008-08-19 20:44:18 UTC
the ebuild from trem-servers also includes the 971 patch (and so fixes the security issue right ?), maybe it should be pushed in portage, shouldn't it ?
Comment 16 Le retraité 2008-08-20 07:40:40 UTC
@Mr Bones
You have globally masked tremulous and tremulous-bin, maybe you should just mask >=tremulous-1.1.0-r1 and >=tremulous-bin-1.1.0, so people who want to have a fixed version (like tremulous-1.1.0-r5 here) in their local portage overlay won't have to unmask it.
Comment 17 Tristan Heaven (RETIRED) gentoo-dev 2008-09-07 14:40:45 UTC
Patches are in 1.1.0-r2
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-09-08 14:38:00 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-08 20:29:10 UTC
amd64 stable
Comment 20 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-16 15:07:59 UTC
What about -bin, is comment #14 right? In that case it could be punted from the tree, I think.
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-16 17:48:40 UTC
ppc stable
Comment 22 Mr. Bones. (RETIRED) gentoo-dev 2008-09-16 19:57:13 UTC
tremulous-bin is gone.
Comment 23 Markus Meier gentoo-dev 2008-09-17 20:21:50 UTC
x86 stable, all arches done
Comment 24 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-17 20:24:29 UTC
If we agree on B1, then this needs a GLSA, including a notice about -bin removal.
Comment 25 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-13 16:43:58 UTC
GLSA request filed by keytoaster.
Comment 26 Róbert Čerňanský 2008-10-25 18:31:03 UTC
All versions of games-fps/tremulous are still masked. Shouldn't the 1.1.0-r2 be unmasked already?
Comment 27 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 18:53:15 UTC
GLSA 200901-06