Bug#660834: tremulous: CVE-2006-3325 ("q3cfilevar-B") configuration overwriting
Simon McVittie
smcv at debian.org
Wed Feb 22 08:58:01 UTC 2012
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-3325 is a vulnerability in the Quake 3 engine. Due to missing checks,
a malicious server can overwrite configuration variables ("cvars") on clients
connecting to it, even those that are normally write-protected. Some cvars,
such as fs_homepath and cl_allowdownload, are security-sensitive; in
particular, this vulnerability can be combined with CVE-2006-3324 to overwrite
arbitrary files with the user's privileges.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r811. Debian's ioquake3 package is not vulnerable.
More information about the Pkg-games-devel
mailing list