Two security vulnerabilities in the ioquake3 engine may affect your quake3 package (and also OpenArena, World of Padman, Urban Terror and other ioquake3-based games, if you have them). I will comment with more details when I have confirmed that this bug does not end up public.
Passing on a message from upstream developer Thilo Schulz <firstname.lastname@example.org>, who
should be contacted for further details if required:
Dear Sir or Madam,
I am informing you about two security vulnerabilities that were recently found
by a user with the handle "devhc" in ioquake3, an open source project
dedicated to the maintenance of the dated quake3 engine, see
http://www.ioquake3.org for more information.
It is my understanding, that your distributions or games are packaging or
based on recent revisions of ioquake3.
The first bug was introduced in svn revision 1773 and does not exist in
ioquake3's last official release (version 1.36), however, several projects
that are based on more recent svn revisions of our source tree might be
afflicted, like "World of Padman".
The first bug is a shell injection vulnerability which allows server admins to
execute arbitrary shell commands on connecting clients.
It can be triggered by setting the fs_game cvar to something like
"`echo <insert 250 chars here> > inject.txt`"
This bug was fixed in revision 2097, see :
[CVE-2011-1412 has been assigned to the vulnerability fixed in r2097 -smcv]
The second bug is not as severe, but was already introduced in revision 1499,
thus ioquake3 1.36 is afflicted.
Here, a file extension check is broken and malicious game code might execute
arbitrary code outside its Virtual Machine context by writing to DLL files
that are loaded by the quake3 engine during gameplay.
This bug was fixed in revision 2098, see:
[CVE-2011-2764 has been assigned to the vulnerability fixed in r2098 -smcv]
We intend to go public with this information around Thursday noon (European
time), so please do not disclose these details until our official posting to
bugtraq or Full Disclosure.
These are bugs in the ioquake3 engine, not in particular game code. I don't
know how you handle this engine in Gentoo; the upstreams of various games each
have their own outdated "official" ioquake3 builds, but in Debian and Fedora we use a shared engine binary for OpenArena and Quake III Arena.
I believe that who is and isn't vulnerable goes like this:
engine | based on | CVE-2011-1412 | CVE-2011-2764 |
ioQuake3 1.36 | r1520 | - | vulnerable |
OpenArena engine 0.8.x-13 (0.8.5) | r1759 | - | vulnerable |
OpenArena engine 0.8.x-14 (0.8.5) | r1759 | - | vulnerable |
OpenArena engine 0.8.x-15 | r1783 | vulnerable | vulnerable |
OpenArena engine 0.8.x-16 | r1788 | vulnerable | vulnerable |
ioUrbanTerror 2007-12-20 server | r1240 | - | no check |
ioUrbanTerror 2007-12-20 client | r1142 | - | no check |
World of Padman 1.2 non-Windows | r1202 | - | no check |
World of Padman 1.2 Windows-only | r1142 | - | no check |
World of Padman first standalone | r1051 | - | no check |
Tremulous 1.1.0 | ? | - | no check |
Engines marked "no check" for CVE-2011-2764 don't have the regression from
r1499, but also don't have the check as originally added (r1405) at all, so
the only way to use them safely is to turn off auto-downloading, or not allow
native-code gamecode (or preferably, both). Engines this old probably aren't
safe to use on untrusted bytecode anyway, though.
Thanks for the info, Simon.
Making this bug public as others have done, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=725951. Adding games herd.
I don't believe we have ioUrbanTerror in the tree.
Tremulous 1.1.0 turns out to have further vulnerabilities, which have been public (as ioquake3 bugs) for years: see <http://seclists.org/bugtraq/2012/Feb/118>.
Additionally, older ioquake3 versions like ioquake3 1.36, Tremulous 1.1.0 and OpenArena 0.8.5 (but not OA 0.8.8 or recent ioquake3 svn) can be used in a reflected DoS, see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656>.
There are probably other vulnerabilities in ioquake3 1.36; in Debian we've given up waiting for 1.37 and are packaging svn snapshots instead, since they seem to be more stable and secure :-(
Patches at <http://anonscm.debian.org/gitweb/?p=pkg-games/tremulous.git;a=log;h=refs/tags/debian/1.1.0-8> and <http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=log;h=refs/tags/debian/0.8.5-5%2Bsqueeze3>. Our ioquake3 patch sets are in the same place if that's any help.
I am converting this into a tracker bug so that we can individually track each affected package.
Adding bug 420783 to this tracker because it affects the same packages and no need to create multiple bugs for the same package affecting the same embedded resource.
Because there was no action in this tracker yet, we will add the following vulnerability in addition: https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
@ Maintainer(s): Please make sure that the bundled ioquake3 engine contains the commit above.