Bug#684143: redeclipse: security issues with transmitted map cfgs

2012-08-07 Thread Martin Erik Werner 
Package: redeclipse
Version: 1.2-2
Severity: grave
Tags: security patch upstream
Justification: user security hole

A security issue with execution of map cfg(script) files could allow these 
scripts the same r/w access to files as the user running the game client.

This issue has been patched upstream, which makes it harder to exploit.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages redeclipse depends on:
ii  dpkg  1.16.4.3
ii  libc6 2.13-33
ii  libenet1a 1.3.3-2
ii  libgcc1   1:4.7.1-2
ii  libgl1-mesa-glx [libgl1]  8.0.3-1
ii  libsdl-image1.2   1.2.12-2
ii  libsdl-mixer1.2   1.2.12-2
ii  libsdl1.2debian   1.2.15-5
ii  libstdc++64.7.1-2
ii  libx11-6  2:1.5.0-1
ii  redeclipse-data   1.2-1
ii  zlib1g1:1.2.7.dfsg-13

redeclipse recommends no packages.

redeclipse suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#684143: redeclipse: security issues with transmitted map cfgs

2012-08-07 Thread Martin Erik Werner 
Extended description of the issue:
Game maps can in cube2-engine games be transmitted either from server
to client or from client to client, which includes a config file
(mapname.cfg) which is in cubescript format, this makes it possible
for an attacker to send a malign script via a new map (which must be
chosen by admin on a server, or created in cooperative editing mode). A
script like this could trivially read/write to any files which the user
running the client has access to (it is executed when the client loads
the map).

Patch:
The patch stops textedit commands being able to be run in map-run
scripts, thus disabling the ability to read/write to user files.

Also attached new patch file including this description.
From 52fdd35c3ffc1ce2e568180eac2da93e179fef2a Mon Sep 17 00:00:00 2001
From: eihrul eihrul@2cd6abe5-5779-42d9-9038-cec04ae5ff40
Date: Sun, 22 Jul 2012 21:22:55 +
Subject: [PATCH] text command fix
Comment:
 Game maps can in cube2-engine games be transmitted either from server
 to client or from client to client, which includes a config file
 (mapname.cfg) which is in cubescript format, this makes it possible
 for an attacker to send a malign script via a new map (which must be
 chosen by admin on a server, or created in cooperative editing mode). A
 script like this could trivially read/write to any files which the user
 running the client has access to (it is executed when the client loads
 the map).
 .
 This patch stops textedit commands being able to be run in map-run
 scripts, thus disabling the ability to read/write to user files.

git-svn-id: https://redeclipse.svn.sourceforge.net/svnroot/redeclipse@3764 2cd6abe5-5779-42d9-9038-cec04ae5ff40
---
 src/engine/textedit.h |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/src/engine/textedit.h
+++ b/src/engine/textedit.h
@@ -690,7 +690,7 @@
 
 #define TEXTCOMMAND(f, s, d, body) ICOMMAND(0, f, s, d,\
 editor *top = currentfocus();\
-if(!top) return;\
+if(!top || identflagsIDF_WORLD) return;\
 body\
 )
 


signature.asc
Description: This is a digitally signed message part