Bug#660832: tremulous: CVE-2006-3324 ("q3cfilevar-A") arbitrary file overwriting
Simon McVittie
smcv at debian.org
Wed Feb 22 08:54:22 UTC 2012
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-3324 is a vulnerability in the Quake 3 engine. A malicious server
can overwrite arbitrary files in the ~/.q3a directory on clients connecting
to it; in combination with CVE-2006-3325, the same vulnerability could be
used to overwrite arbitrary files anywhere on the filesystem.
Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability (with ~/.tremulous instead of ~/.q3a).
The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r804. Debian's ioquake3 package is not vulnerable.
More information about the Pkg-games-devel
mailing list