Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 420783 (CVE-2012-3345) - games-fps/{quake3,openarena,tremulous}: symlink attack (CVE-2012-3345)
Summary: games-fps/{quake3,openarena,tremulous}: symlink attack (CVE-2012-3345)
Status: RESOLVED FIXED
Alias: CVE-2012-3345
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://ioquake3.org/2012/06/14/cve-20...
Whiteboard: B3 [ebuild]
Keywords:
Depends on:
Blocks: CVE-2011-1412, CVE-2011-2764, CVE-2011-3012
  Show dependency tree
 
Reported: 2012-06-12 08:42 UTC by Simon McVittie
Modified: 2019-12-08 21:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
[PATCH 1/2] CVE-2012-3345: write ioq3.pid to home path, not temp directory (0001-CVE-2012-3345-write-ioq3.pid-to-home-path-not-temp-d.patch,1.03 KB, patch)
2012-06-12 08:43 UTC, Simon McVittie
no flags Details | Diff
[PATCH 2/2] CVE-2012-3345: remove Sys_TempPath() altogether, to avoid misuse (0002-CVE-2012-3345-remove-Sys_TempPath-altogether-to-avoi.patch,2.72 KB, patch)
2012-06-12 08:45 UTC, Simon McVittie
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Simon McVittie 2012-06-12 08:42:23 UTC
Please treat this as embargoed until further notice, and do not commit a
fix or otherwise make it public until we have coordinated a release
date (tentatively Friday, 18:00 UTC).

Background
==========

ioquake3 [IOQ] is a fork of the Quake III Arena (id Tech 3) game engine,
and has become the de facto upstream for that engine since id Software
ceased to develop it. It is also used (unmodified, modified or forked)
in various open-source and proprietary games including OpenArena [OA],
Reaction [REA], Smokin' Guns [SGN], Tremulous [TREM], Turtle Arena [TA],
Urban Terror [URT] and World of Padman [WOP].

Vulnerability
=============

Access vector: local
Authentication required: local system
Impact: overwrite a file owned by the victim with a predictable integer

Since svn revision 1773, ioquake3 has written its process ID to the file
/tmp/ioq3.pid (or ioq3.pid in a world-writeable location) under the following circumstances:

* running on non-Mac Unix and TMPDIR not set, or set to a
  world-writeable location; or
* running on Mac OS and FSFindFolder() for a temporary directory fails
  or returns a world-writeable location

On a multi-user system, an attacker could create a symbolic link
/tmp/ioq3.pid pointing to any file owned by a user who plays an
ioquake3-based game. When the victim runs ioquake3, the target file will
be overwritten and replaced with the process ID of ioquake3.

The effect of this attack depends on the file being overwritten: it
could be simple vandalism (destroy one of the victim's files), or it
could have further security implications if knowledge of the contents of
a target file is used for authentication (in a system similar to
pam_dotfile [DOT], for instance).

For the dedicated server, the process ID is written to ioq3_server.pid, but the attack is essentially the same. For forks of ioquake3, the filename will typically include the name of the fork, e.g. openarena.pid.

Affected versions
=================

* ioquake3 >= svn r1773
* OpenArena 0.8.8
* Reaction beta 1.0
* Smokin' Guns 1.1
* Tremulous "trunk" >= svn r2125
* Tremulous "gpp" >= svn r2140
* Turtle Arena >= svn r204 (all releases named Turtle Arena)
* World of Padman >= 1.5.2 beta

Unaffected versions
===================

* ioquake3 1.36
* ioquake3 <= svn r1772
* OpenArena <= 0.8.5
* Smokin' Guns <= 1.1b4
* Tremulous "trunk" <= svn r2124
* Tremulous "gpp" <= svn r2139
* Tremulous GPP1
* Tremulous <= 1.1.0
* Turtle Arena <= svn r203
* TMNT Arena 20091211 (former name of Turtle Arena)
* ioUrbanTerror 2007-12-20 client
* ioUrbanTerror 2007-12-20 server
* World of Padman <= 1.5.0

Solution
========

The attached patches have been reviewed by two ioquake3 maintainers. Please apply them to affected versions on or after the embargo date.

Patch 0001 fixes the vulnerability by writing the pid file into the ioquake3 user's home directory (~/.q3a/ioq3.pid, ~/.openarena/openarena.pid, etc.) instead of the temporary directory.

Patch 0002 is recommended, but not strictly necessary to fix the vulnerability. It removes the functions to get the temporary directory, as a precaution against other unsafe uses.

References
==========

[IOQ] http://ioquake3.org/
[OA] http://openarena.ws/
[REA] http://www.rq3.com/
[SGN] http://www.smokin-guns.net/
[TREM] http://tremulous.net/
[TA] http://ztm.x10hosting.com/ta/
[URT] http://www.urbanterror.info/home/
[WOP] http://worldofpadman.com/website/
[DOT] http://0pointer.de/lennart/projects/pam_dotfile/
Comment 1 Simon McVittie 2012-06-12 08:43:47 UTC
Created attachment 315077 [details, diff]
[PATCH 1/2] CVE-2012-3345: write ioq3.pid to home path, not temp  directory

On a multi-user system, an attacker could create a symbolic link
/tmp/ioq3.pid pointing to any file owned by a user who plays an
ioquake3-based game. When the victim runs ioquake3, the target file
will be overwritten and replaced with the process ID of ioquake3.

To avoid this, write the pid to the home path (e.g. ~/.q3a on Unix).

Signed-off-by: Simon McVittie <smcv@debian.org>
Comment 2 Simon McVittie 2012-06-12 08:45:04 UTC
Created attachment 315079 [details, diff]
[PATCH 2/2] CVE-2012-3345: remove Sys_TempPath() altogether, to  avoid misuse

Writing to a predictable filename in /tmp is not safe.

Signed-off-by: Simon McVittie <smcv@debian.org>

---

This patch is not strictly necessary: it is a precaution against undiscovered symlink attacks in versions other than the one inspected.
Comment 3 Simon McVittie 2012-06-13 19:34:42 UTC
(In reply to comment #0)
> release date (tentatively Friday, 18:00 UTC)

Release date confirmed by the ioquake3 maintainers.
Comment 4 Simon McVittie 2012-06-14 22:54:20 UTC
(In reply to comment #3)
> Release date confirmed by the ioquake3 maintainers.

... who then announced it a day early by mistake, so please un-embargo this now.

Advisory: http://ioquake3.org/2012/06/14/cve-2012-3345-symlink-attack-in-ioquake3-r1773/

Patches: http://ioquake3.org/files/CVE-2012-3345/ or svn r2253
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-15 11:38:52 UTC
Thank you for the report, Simon.

Opening this bug up since it is now public.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:34:08 UTC
CVE-2012-3345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3345):
  ioquake3 before r2253 allows local users to overwrite arbitrary files via a
  symlink attack on the /tmp/ioq3.pid temporary file.
Comment 7 Julian Ospald 2013-11-26 13:18:04 UTC
quake3 is at 1.36 which should be unaffected

the rest of them need a patch afais
Comment 8 Larry the Git Cow gentoo-dev 2019-12-08 21:31:06 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e2a01c4881b67200d0a43ab7d6f147d6e5ac2aa

commit 9e2a01c4881b67200d0a43ab7d6f147d6e5ac2aa
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-12-08 21:29:54 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-12-08 21:29:54 +0000

    games-fps/quake3*: drop vulnerable pkgs
    
    Closes: https://bugs.gentoo.org/420783
    Closes: https://bugs.gentoo.org/606696
    Closes: https://bugs.gentoo.org/627236
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 games-fps/openarena/Manifest                       |   2 -
 .../openarena/files/openarena-0.8.8-makefile.patch |  36 -----
 .../files/openarena-0.8.8-unbundling.patch         | 104 -------------
 games-fps/openarena/metadata.xml                   |  14 --
 games-fps/openarena/openarena-0.8.8-r1.ebuild      |  85 -----------
 games-fps/quake3-alliance/Manifest                 |   2 -
 games-fps/quake3-alliance/metadata.xml             |   8 -
 .../quake3-alliance/quake3-alliance-3.3-r1.ebuild  |  23 ---
 games-fps/quake3-alternatefire/Manifest            |   1 -
 games-fps/quake3-alternatefire/files/server.cfg    | 109 --------------
 games-fps/quake3-alternatefire/metadata.xml        |   8 -
 .../quake3-alternatefire-2.0-r1.ebuild             |  17 ---
 games-fps/quake3-bfp/Manifest                      |   1 -
 games-fps/quake3-bfp/metadata.xml                  |   8 -
 games-fps/quake3-bfp/quake3-bfp-1.2-r1.ebuild      |  17 ---
 games-fps/quake3-bin/Manifest                      |   2 -
 games-fps/quake3-bin/files/q3ded.conf.d            |   5 -
 games-fps/quake3-bin/files/q3ded.rc                |  34 -----
 games-fps/quake3-bin/metadata.xml                  |  24 ---
 games-fps/quake3-bin/quake3-bin-1.32c-r2.ebuild    | 105 -------------
 games-fps/quake3-cpma/Manifest                     |   2 -
 games-fps/quake3-cpma/files/server.cfg             | 146 ------------------
 games-fps/quake3-cpma/metadata.xml                 |  37 -----
 games-fps/quake3-cpma/quake3-cpma-1.48.ebuild      |  26 ----
 games-fps/quake3-data/Manifest                     |   1 -
 games-fps/quake3-data/metadata.xml                 |   8 -
 games-fps/quake3-data/quake3-data-1.32b.ebuild     |  54 -------
 games-fps/quake3-defrag/Manifest                   |  13 --
 games-fps/quake3-defrag/metadata.xml               |   8 -
 .../quake3-defrag/quake3-defrag-1.91.21.ebuild     |  44 ------
 games-fps/quake3-demo/Manifest                     |   1 -
 games-fps/quake3-demo/metadata.xml                 |  11 --
 games-fps/quake3-demo/quake3-demo-1.11-r1.ebuild   |  62 --------
 games-fps/quake3-excessiveplus/Manifest            |   1 -
 games-fps/quake3-excessiveplus/metadata.xml        |  20 ---
 .../quake3-excessiveplus-2.3.ebuild                |  22 ---
 games-fps/quake3-lrctf/Manifest                    |   1 -
 games-fps/quake3-lrctf/metadata.xml                |   8 -
 games-fps/quake3-lrctf/quake3-lrctf-1.1.ebuild     |  16 --
 games-fps/quake3-matrix/Manifest                   |   1 -
 games-fps/quake3-matrix/metadata.xml               |   8 -
 .../quake3-matrix/quake3-matrix-2.4_beta-r1.ebuild |  22 ---
 games-fps/quake3-nsco/Manifest                     |   2 -
 games-fps/quake3-nsco/files/server.cfg             |  97 ------------
 games-fps/quake3-nsco/metadata.xml                 |  29 ----
 games-fps/quake3-nsco/quake3-nsco-1.93-r1.ebuild   |  22 ---
 games-fps/quake3-osp/Manifest                      |   1 -
 games-fps/quake3-osp/files/server.cfg              | 165 ---------------------
 games-fps/quake3-osp/metadata.xml                  |   8 -
 games-fps/quake3-osp/quake3-osp-1.03a-r1.ebuild    |  22 ---
 games-fps/quake3-ra3/Manifest                      |   1 -
 games-fps/quake3-ra3/metadata.xml                  |   8 -
 games-fps/quake3-ra3/quake3-ra3-1.76-r1.ebuild     |  18 ---
 games-fps/quake3-reaction/Manifest                 |   2 -
 games-fps/quake3-reaction/metadata.xml             |   8 -
 .../quake3-reaction/quake3-reaction-3.2.ebuild     |  20 ---
 games-fps/quake3-ruinhunters/Manifest              |   2 -
 games-fps/quake3-ruinhunters/metadata.xml          |   8 -
 .../quake3-ruinhunters-1.0a-r1.ebuild              |  22 ---
 games-fps/quake3-teamarena/Manifest                |   1 -
 games-fps/quake3-teamarena/metadata.xml            |   8 -
 .../quake3-teamarena/quake3-teamarena-1.32b.ebuild |  55 -------
 games-fps/quake3-threewave/Manifest                |   2 -
 games-fps/quake3-threewave/metadata.xml            |   8 -
 .../quake3-threewave-1.7-r1.ebuild                 |  21 ---
 games-fps/quake3/Manifest                          |   1 -
 games-fps/quake3/files/quake3-1.36-bots.patch      |  20 ---
 games-fps/quake3/metadata.xml                      |  26 ----
 games-fps/quake3/quake3-1.36-r1.ebuild             | 122 ---------------
 games-fps/quake3/quake3-9999.ebuild                | 137 -----------------
 70 files changed, 1953 deletions(-)