what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Tremulous Inherited Issues

Tremulous Inherited Issues
Posted Feb 23, 2012
Authored by Simon McVittie

Tremulous, a team based FPS game with RTS elements, suffers from a large amount of old Quake related vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2006-2082, CVE-2006-2236, CVE-2006-2875, CVE-2006-3324, CVE-2006-3325, CVE-2011-2674, CVE-2011-3012
SHA-256 | 957204bc8a1064b5afc2c54e973081970d37c715e0429db6d279810022212fd1

Tremulous Inherited Issues

Change Mirror Download
Background
==========

Tremulous is a team-based FPS game with RTS elements. Its engine and
game logic are based on the GPL source release of the Quake III Arena
engine and game logic by id Software.

The de facto upstream developer of the Quake III engine is now another
fork, ioquake3; in particular, ioquake3 fixes many security
vulnerabilities present in the original Quake III Arena source release.
Unlike (for instance) OpenArena or Urban Terror, Tremulous has diverged
from the original Quake III Arena engine, so it cannot be played using
an unmodified ioquake3 engine.

The Tremulous website advertises two versions of the game:

* 1.1.0, a stable release (released 2006-03-31). This is packaged
in Debian/Ubuntu stable releases, and also appears to be packaged
in FreeBSD, openSUSE and Gentoo.

* GPP1 ("Gameplay Preview 1"), a preview release (2009-12-03) of
what will eventually become Tremulous 1.2. This
appears to be packaged in Fedora stable releases.

In addition, there are several unofficial engine updates compatible with
1.1.0, notably a backport by Tony White (TJW), and a set of updated
client and server provided by Mercenaries' Guild. These are not
publicized by the main Tremulous website, but they are apparently
popular with players, and their functionality has been incorporated into
version 1.2 development.

Vulnerabilities
===============

Numerous security vulnerabilities have been reported and fixed in
ioquake3 since its initial release. Neither Tremulous 1.1.0 nor GPP1
incorporates fixes for all of these vulnerabilities.

I believe this table is more or less accurate, but I have only checked
Tremulous 1.1.0 in detail. If you ship one of the other versions, you
will need to do your own checks.

Trem-1.1.0 MGC-1.011 MGS-1.01 tjw Trem-GPP1
CVE-2001-1289 OK OK OK OK OK
CVE-2005-0430 OK OK OK OK OK
CVE-2005-0983 OK OK OK OK OK
CVE-2006-2082 Vuln n/a ? Vuln OK
CVE-2006-2236 Vuln OK n/a OK OK
CVE-2006-2875 Vuln OK n/a OK OK
CVE-2006-3324 Vuln OK n/a Vuln OK
CVE-2006-3325 Vuln OK n/a Vuln OK
CVE-2006-3400 OK OK OK OK OK
CVE-2006-3401 OK OK OK OK OK
CVE-2011-1412 OK OK OK OK OK
CVE-2011-2674 Vuln Vuln n/a Vuln Vuln
CVE-2011-3012 Vuln OK n/a Vuln OK

(For completeness, the table lists all CVE IDs I've found listed for
either Quake III Arena or ioquake3.)

Key: Trem-1.1.0 = Tremulous 1.1.0 (2006-03-31)
MGC-1.011 = MercenariesGuild client 1.011 when used as a client
MGS-1.01 = MercenariesGuild server 1.01 when used as a server
tjw = http://tremulous.tjw.org/backport/
Trem-GPP1 = Tremulous Gameplay Preview 1 (1.2 prerelease,
2009-12-03)

Vuln = vulnerable
partial = partial fix, probably still vulnerable
n/a = server-specific bug not applicable to client or vice versa

In addition, searching ioquake3 commit history reveals a number of
commits which do not appear to be related to a CVE number, but could be
security-sensitive. I have not analyzed which of these could affect the
Tremulous engine. If you cause a new CVE number to be assigned for any
changes made to ioquake3 in the past (as was done for CVE-2011-3012),
please include a prominent reference to the relevant svn revision in any
advisory, so that CVE numbers can be correlated with the changes required.

Finally, to the best of my knowledge, ioquake3 upstream do not consider
the QVM bytecode interpreter to be safe for use with untrusted bytecode;
this means that auto-downloading (cl_allowDownload 1) is not considered
to be safe under any circumstances. This is particularly the case for
engines which do not have the interpreter/JIT hardening work that was
done in ioquake3 at svn revisions around 1687, 1717 and 2000, none of
which is present in at least Tremulous 1.1.0.

Response
========

I have not received any response from Tremulous developers since I
contacted them privately 1 month ago.

Distributions like Debian, Fedora and Ubuntu should either fix the open
vulnerabilities, or remove affected Tremulous versions from their
repositories entirely.

I have uploaded tremulous 1.1.0-7 to Debian, with backports of the
various CVE fixes from ioquake3, and some additional pre-emptive changes
for potential bugs which are not known to be exploitable (avoiding
non-constant format strings and sprintf() into a fixed-length buffer).
Patches which I believe to be correct are available at
<http://anonscm.debian.org/gitweb/?p=pkg-games/tremulous.git;a=tree;f=debian/patches>
or by cloning the git repository
<git://anonscm.debian.org/pkg-games/tremulous.git>. Please contact me
via the Debian bug tracking system or the Games Team mailing list
<debian-devel-games@lists.debian.org> with testing results or
corrections for these patches.

I believe that long-term-supported distributions should also mitigate
any future vulnerabilities in the ioquake3 bytecode interpreter by
removing client-side support for auto-downloading (always behaving as if
configured with cl_allowDownload 0) in their stable releases. I have
made this change in Debian's tremulous 1.1.0-7 package, but not yet in
Debian's ioquake3 package.

Regards,
S
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close