Bug#635738: pu: package openarena/0.8.5-5+squeeze1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#635738: pu: package openarena/0.8.5-5+squeeze1
From: Simon McVittie <smcv@debian.org>
Date: Thu, 28 Jul 2011 14:27:47 +0100
Message-id: <[🔎] 20110728132747.GD12071@reptile.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 635738@bugs.debian.org
In-reply-to: <20110728131147.GA11758@reptile.pseudorandom.co.uk>
References: <20110728131147.GA11758@reptile.pseudorandom.co.uk>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

openarena/0.8.5-5+squeeze1 fixes #635733, proposed diff attached.

On Thu, 28 Jul 2011 at 14:11:47 +0100, Simon McVittie wrote:
> ioquake3 1.36+svn1946-4 fixes a security vulnerability. In the stable and
> oldstable distributions, the same code is present in the openarena package.
> 
> Mitigation: do not allow auto-downloading, and do not install untrusted mods.
> 
> From the advisory:
> > Malicious gamecode can Execute arbitrary code outside of
> > Q3 Virtual Machine context
> > ========================================
> > 
> > This bug has been discovered by /dev/humancontroller.
> > 
> >  * details
> > 
> > The Quake3 engine uses game-specific code that is provided in a platform
> > independent bytecode format. This code has restricted access to
> > functionality provided by the engine. It should not be allowed access to
> > data outside the VM context.
> > Over the course of gameplay, the quake3 engine may dynamically load DLL
> > files in certain configurations. For instance, if vm_ui is set to "0" quake3
> > tries to open a DLL file to load the game logic behind the user interface.
> > 
> > Part of the functionality offered to VM logic is the possibility to write to
> > files within the quake3 directory. By writing a malicious DLL file, a
> > program residing in the VM could trigger the execution of code outside the VM
> > context.
> > To prevent this from happening, ioquake3 introduced a file extension check
> > in r1499 which denied writing files with certain names. However, this check
> > was broken and corrected in r2098 only.
> > 
> > This security issue has been around for a long time even in the original
> > quake3 engine and is not limited to ioquake3.
> > It affects a wide range of commercial games as well. It is only exploitable
> > if a user installs 3rd party addons from untrusted sources.
> > Quake3 was never really designed to be secure against malicious 3rd party
> > content, and probably isn't even in latest revisions of ioquake3. So
> > downloading of untrusted content is still discouraged.
> > 
> >  * CVE
> > 
> > CVE-2011-2764 has been assigned for this issue.
> > 
> >  * severity
> > 
> > medium
> > 
> >  * affected OS
> > 
> > All OS with dynamic linker
> > 
> >  * games affected
> > 
> > All games using the quake3 engine
> > 
> >  * workaround
> > 
> > Don't download and install untrusted addons. Set cl_allowdownload to 0
> > 
> >  * patches
> > 
> > Several distributors have already been contacted and have prepared patches
> > for their distributions.
> > A sourcecode patch can be got here:
> > 
> >   http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff

diff --git a/debian/changelog b/debian/changelog
index df2dd86..bb1de52 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openarena (0.8.5-5+squeeze1) stable; urgency=medium
+
+  * Apply upstream r2098 to fix arbitrary code execution by malicious QVM
+    bytecode, which could be auto-downloaded from a malicious server
+    if enabled. CVE-2011-2764 (Closes: #635733)
+
+ -- Simon McVittie <smcv@debian.org>  Thu, 28 Jul 2011 14:22:31 +0100
+
 openarena (0.8.5-5) unstable; urgency=medium
 
   * Add patch (already upstream as oax r239) to fix a crash if a non-client
diff --git a/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch
new file mode 100644
index 0000000..8f6dc9a
--- /dev/null
+++ b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch
@@ -0,0 +1,77 @@
+From: Thilo Schulz <thilo>
+Date: Sun, 24 Jul 2011 22:12:21 +0000
+Subject: Fix extension name comparison for DLL files
+
+[This might make it possible for gamecode to write out a malicious DLL file
+which would be executed if vm_game = 0. Present in r1499, so v1.36 was
+already vulnerable. This is a backport to r1759 -smcv]
+
+Origin: upstream, commit:2098
+Applied-upstream: 1.37
+Bug-CVE: CVE-2011-2764
+---
+ engine/code/qcommon/files.c    |    2 +-
+ engine/code/qcommon/q_shared.c |   24 ++++++++++++++++++++++++
+ engine/code/qcommon/q_shared.h |    1 +
+ 3 files changed, 26 insertions(+), 1 deletions(-)
+
+diff --git a/engine/code/qcommon/files.c b/engine/code/qcommon/files.c
+index 5fca431..e343554 100644
+--- a/engine/code/qcommon/files.c
++++ b/engine/code/qcommon/files.c
+@@ -530,7 +530,7 @@ static void FS_CheckFilenameIsNotExecutable( const char *filename,
+ 		const char *function )
+ {
+ 	// Check if the filename ends with the library extension
+-	if( !Q_stricmp( COM_GetExtension( filename ), DLL_EXT ) )
++	if(COM_CompareExtension(filename, DLL_EXT))
+ 	{
+ 		Com_Error( ERR_FATAL, "%s: Not allowed to manipulate '%s' due "
+ 			"to %s extension\n", function, filename, DLL_EXT );
+diff --git a/engine/code/qcommon/q_shared.c b/engine/code/qcommon/q_shared.c
+index 550d100..50d4479 100644
+--- a/engine/code/qcommon/q_shared.c
++++ b/engine/code/qcommon/q_shared.c
+@@ -96,6 +96,30 @@ void COM_StripExtension( const char *in, char *out, int destsize ) {
+ 		out[length] = 0;
+ }
+ 
++/*
++============
++COM_CompareExtension
++
++string compare the end of the strings and return qtrue if strings match
++============
++*/
++qboolean COM_CompareExtension(const char *in, const char *ext)
++{
++	int inlen, extlen;
++	
++	inlen = strlen(in);
++	extlen = strlen(ext);
++	
++	if(extlen <= inlen)
++	{
++		in += inlen - extlen;
++		
++		if(!Q_stricmp(in, ext))
++			return qtrue;
++	}
++	
++	return qfalse;
++}
+ 
+ /*
+ ==================
+diff --git a/engine/code/qcommon/q_shared.h b/engine/code/qcommon/q_shared.h
+index e2f9f01..b2ee019 100644
+--- a/engine/code/qcommon/q_shared.h
++++ b/engine/code/qcommon/q_shared.h
+@@ -623,6 +623,7 @@ float Com_Clamp( float min, float max, float value );
+ char	*COM_SkipPath( char *pathname );
+ const char	*COM_GetExtension( const char *name );
+ void	COM_StripExtension(const char *in, char *out, int destsize);
++qboolean COM_CompareExtension(const char *in, const char *ext);
+ void	COM_DefaultExtension( char *path, int maxSize, const char *extension );
+ 
+ void	COM_BeginParseSession( const char *name );
diff --git a/debian/patches/series b/debian/patches/series
index 9a9f298..b23fbea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+0001-Fix-extension-name-comparison-for-DLL-files.patch
 0001-OpenArena-branding-change-SDL-window-Quake-3-icon-to.patch
 0002-Use-OpenArena-directory-names-in-HOME-on-Unix-Window.patch
 0003-Replace-the-conditionalized-hard-coded-names-in-q_sh.patch

Reply to:

Follow-Ups:
- Bug#635738: pu: package openarena/0.8.5-5+squeeze1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Changes to Debian Installer release process
Next by Date: Proposed stable update for procps
Previous by thread: Re: Changes to Debian Installer release process
Next by thread: Bug#635738: pu: package openarena/0.8.5-5+squeeze1
Index(es):
- Date
- Thread