Bug#660831: tremulous-server: CVE-2006-2082 arbitrary file download from server
Simon McVittie
smcv at debian.org
Wed Feb 22 08:49:58 UTC 2012
Package: tremulous-server
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-2082 is a directory traversal vulnerability in the Quake 3 engine.
When the sv_allowDownload cvar is enabled, players can download .pk3 files
required by the server; due to missing checks, remote attackers can use this
feature to read arbitrary files from the server via ".." sequences in a
download request.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.
The files are read with the privileges of the server, typically the
"tremulous-server" uid. This bug also affects "listen servers" (those where
a player hosts the server and plays the game in the same process), started
via the GUI of the tremulous package; in this case, files are read with
the privileges of the user.
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r777. Debian's ioquake3 package is not vulnerable.
More information about the Pkg-games-devel
mailing list