6565 – tremulous security issues CVE-2010-5077, CVE-2011-2764 and CVE-2011-3012

Bug 6565 - tremulous security issues CVE-2010-5077, CVE-2011-2764 and CVE-2011-3012

Summary: tremulous security issues CVE-2010-5077, CVE-2011-2764 and CVE-2011-3012

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/488838/
Whiteboard:	MGA1-32-OK MGA1-64-OK
Keywords:	validated_update

Depends on:
Blocks:	5496
	Show dependency tree / graph

Reported:	2012-06-25 15:50 CEST by David Walser
Modified:	2012-07-09 23:58 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	tremulous-1.2.0-0.beta1.1.1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-06-25 15:50:21 CEST

José Jorge has submitted a patched package to updates_testing to fix these.

Advisory to come later.

David Walser 2012-06-25 15:50:35 CEST

CC: (none) => lists.jjorge

Comment 1 David Walser 2012-06-25 15:51:44 CEST

tremulous-1.2.0-0.beta1.1.2.mga1 is the updated package (RPM and SRPM).

David Walser 2012-06-25 15:51:59 CEST

Blocks: (none) => 5496

Comment 2 David Walser 2012-06-25 16:02:26 CEST

Advisory:
========================

Updated tremulous package fixes security vulnerabilities:

It has been discovered that spoofed "getstatus" UDP requests are being
sent by attackers to servers for use with games derived from the
Quake 3 engine (such as openarena).  These servers respond with a
packet flood to the victim whose IP address was impersonated by the
attackers, causing a denial of service (CVE-2010-5077).

The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the
ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin'
Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly
determine dangerous file extensions, which allows remote attackers to
execute arbitrary code via a crafted third-party addon that creates a
Trojan horse DLL file (CVE-2011-2764).

The ioQuake3 engine, as used in World of Padman 1.2 and earlier,
Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for
dangerous file extensions before writing to the quake3 directory,
which allows remote attackers to execute arbitrary code via a crafted
third-party addon that creates a Trojan horse DLL file (CVE-2011-3012).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3012
http://www.debian.org/security/2012/dsa-2442
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078387.html

Comment 3 Samuel Verschelde 2012-07-05 21:30:29 CEST

Tested i586. Game starts, could play a game without obvious regression.

Whiteboard: (none) => MGA1-32-OK

Comment 4 Samuel Verschelde 2012-07-08 13:54:17 CEST

Tested x86_64. Update validated.

See comment #1 and comment #2 for SRPM and advisory.

Keywords: (none) => validated_update
CC: (none) => stormi, sysadmin-bugs
Whiteboard: MGA1-32-OK => MGA1-32-OK MGA1-32-OK

Samuel Verschelde 2012-07-08 14:03:37 CEST

Whiteboard: MGA1-32-OK MGA1-32-OK => MGA1-32-OK MGA1-64-OK

Comment 5 Thomas Backlund 2012-07-09 23:58:34 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0148

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.