Bug#635734: ioquake3: CVE-2011-2764 arbitrary code execution by malicious gamecode

Simon McVittie smcv at debian.org
Thu Jul 28 13:17:11 UTC 2011 

Package: ioquake3
Version: 1.36+svn1946-1
Severity: grave
Tags: security patch
Justification: user security hole

ioquake3 1.36+svn1946-4 fixes a security vulnerability.

Mitigation: do not allow auto-downloading, and do not install untrusted mods.

>From the advisory:
> Malicious gamecode can Execute arbitrary code outside of
> Q3 Virtual Machine context
> ========================================
> 
> This bug has been discovered by /dev/humancontroller.
> 
>  * details
> 
> The Quake3 engine uses game-specific code that is provided in a platform
> independent bytecode format. This code has restricted access to
> functionality provided by the engine. It should not be allowed access to
> data outside the VM context.
> Over the course of gameplay, the quake3 engine may dynamically load DLL
> files in certain configurations. For instance, if vm_ui is set to "0" quake3
> tries to open a DLL file to load the game logic behind the user interface.
> 
> Part of the functionality offered to VM logic is the possibility to write to
> files within the quake3 directory. By writing a malicious DLL file, a
> program residing in the VM could trigger the execution of code outside the VM
> context.
> To prevent this from happening, ioquake3 introduced a file extension check
> in r1499 which denied writing files with certain names. However, this check
> was broken and corrected in r2098 only.
> 
> This security issue has been around for a long time even in the original
> quake3 engine and is not limited to ioquake3.
> It affects a wide range of commercial games as well. It is only exploitable
> if a user installs 3rd party addons from untrusted sources.
> Quake3 was never really designed to be secure against malicious 3rd party
> content, and probably isn't even in latest revisions of ioquake3. So
> downloading of untrusted content is still discouraged.
> 
>  * CVE
> 
> CVE-2011-2764 has been assigned for this issue.
> 
>  * severity
> 
> medium
> 
>  * affected OS
> 
> All OS with dynamic linker
> 
>  * games affected
> 
> All games using the quake3 engine
> 
>  * workaround
> 
> Don't download and install untrusted addons. Set cl_allowdownload to 0
> 
>  * patches
> 
> Several distributors have already been contacted and have prepared patches
> for their distributions.
> A sourcecode patch can be got here:
> 
>   http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff

More information about the Pkg-games-devel mailing list