Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606698 - <games-fps/worldofpadman-1.6-r1: Multiple vulnerabilities through embedded ioquake3 engine (CVE-2011-{1412,2764,3012},CVE-2012-3345)
Summary: <games-fps/worldofpadman-1.6-r1: Multiple vulnerabilities through embedded io...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2011-1412, CVE-2011-2764, CVE-2011-3012
  Show dependency tree
 
Reported: 2017-01-21 13:25 UTC by Thomas Deutschmann
Modified: 2019-03-23 20:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2017-01-21 13:25:46 UTC
It is suspected that this package is vulnerable to multiple vulnerabilities (including a remote code execution vulnerability) due to embedded ioquake3 engine. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.

Please see the information contained in the tracker bug 376589 for further details.
Comment 1 Thomas Deutschmann gentoo-dev 2017-01-21 13:45:35 UTC
Bug 420783 (CVE-2012-3345) was added to the same tracker.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-23 20:42:23 UTC
Validating the source code shows that the embedded Quake3 engine is carrying the latest patches from SVN trunks 2097 and 2098.  The relevant code is seen in the TRACKER bug for each CVE reported.

http://svn.icculus.org/quake3/trunk/code/qcommon/files.c?r1=2098&r2=2097&pathrev=2098

http://svn.icculus.org/quake3/trunk/code/sys/sys_unix.c?r1=2097&r2=2096&pathrev=2097

Given the ancient history here, I am showing <1.6-r1 as vulnerable which indicates the latest ebuild in tree is safe from these CVE's.