Bug#660836: tremulous: CVE-2011-2764, CVE-2011-3012 DLL overwriting by malicious bytecode
Simon McVittie
smcv at debian.org
Wed Feb 22 09:05:42 UTC 2012
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2011-2764 and CVE-2011-3012 are related vulnerabilities in the
Quake 3 engine. By writing a malicious DLL (.so file on Unix platforms),
a program executing in the engine's bytecode virtual machine can trigger
the execution of code outside the virtual machine context. This is
particularly severe if auto-downloading (cl_allowDownload) is enabled, since
clients with cl_allowDownload enabled will automatically download bytecode
from servers to which they connect, and execute it in the virtual machine.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability (retroactively designated CVE-2011-3012) was partially fixed
in r1405 and r1499. That implementation was incomplete (CVE-2011-2764),
which was fixed in r2098 (Debian bug <http://bugs.debian.org/635734>).
Debian's ioquake3 package is not vulnerable.
More information about the Pkg-games-devel
mailing list