redeclipse: security issues with transmitted map cfgs
Bug #1034148 reported by
Martin Erik Werner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
redeclipse (Debian) |
Fix Released
|
Unknown
|
|||
redeclipse (Fedora) |
Fix Released
|
Medium
|
|||
redeclipse (Ubuntu) |
Fix Released
|
Undecided
|
Steve Beattie |
Bug Description
Game maps can in cube2-engine games be transmitted either from server
to client or from client to client, which includes a config file
(mapname.cfg) which is in "cubescript" format, this makes it possible
for an attacker to send a malign script via a new map (which must be
chosen by admin on a server, or created in cooperative editing mode). A
script like this could trivially read/write to any files which the user
running the client has access to (it is executed when the client loads
the map).
Patch:
The patch stops "textedit" commands being able to be run in map-run
scripts, thus disabling the ability to read/write to user files.
Changed in redeclipse (Debian): | |
status: | Unknown → Fix Released |
Changed in redeclipse (Fedora): | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
To post a comment you must log in.
A flaw was found in the way Red Eclipse handled config files. In cube2-engine games, game maps can be transmitted either from the server to a client, or from client to client. These maps include a config file (mapname.cfg) in "cubescript" format, which allows for an attacker to send a malicious script via a new map. This map must either be chosen by an administrator on the server, or created in co-operative editing mode. A malicious script could then be used to read or write to any files that the user running the client has access to when the victim loads a map with the malicious configuration file.
This has been corrected upstream:
https:/ /sourceforge. net/apps/ trac/redeclipse /changeset/ 3764