Bug#660831: tremulous-server: CVE-2006-2082 arbitrary file download from server

Simon McVittie smcv at debian.org
Wed Feb 22 08:49:58 UTC 2012


Package: tremulous-server
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole

CVE-2006-2082 is a directory traversal vulnerability in the Quake 3 engine.
When the sv_allowDownload cvar is enabled, players can download .pk3 files
required by the server; due to missing checks, remote attackers can use this
feature to read arbitrary files from the server via ".." sequences in a
download request.

Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.

The files are read with the privileges of the server, typically the
"tremulous-server" uid. This bug also affects "listen servers" (those where
a player hosts the server and plays the game in the same process), started
via the GUI of the tremulous package; in this case, files are read with
the privileges of the user.

The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r777. Debian's ioquake3 package is not vulnerable.





More information about the Pkg-games-devel mailing list