Ubuntu
redeclipse package

redeclipse: security issues with transmitted map cfgs

Bug #1034148 reported by Martin Erik Werner
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
redeclipse (Debian)
Fix Released
Unknown
redeclipse (Fedora)
Fix Released
Medium
redeclipse (Ubuntu)
Fix Released
Undecided
Steve Beattie

Bug Description

Game maps can in cube2-engine games be transmitted either from server
to client or from client to client, which includes a config file
(mapname.cfg) which is in "cubescript" format, this makes it possible
for an attacker to send a malign script via a new map (which must be
chosen by admin on a server, or created in cooperative editing mode). A
script like this could trivially read/write to any files which the user
running the client has access to (it is executed when the client loads
the map).

Patch:
The patch stops "textedit" commands being able to be run in map-run
scripts, thus disabling the ability to read/write to user files.

Tags: patch
Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

A flaw was found in the way Red Eclipse handled config files. In cube2-engine games, game maps can be transmitted either from the server to a client, or from client to client. These maps include a config file (mapname.cfg) in "cubescript" format, which allows for an attacker to send a malicious script via a new map. This map must either be chosen by an administrator on the server, or created in co-operative editing mode. A malicious script could then be used to read or write to any files that the user running the client has access to when the victim loads a map with the malicious configuration file.

This has been corrected upstream:

https://sourceforge.net/apps/trac/redeclipse/changeset/3764

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

Created redeclipse tracking bugs for this issue

Affects: fedora-17 [bug 846372]

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please review the notes for security update contributors here:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors

A quick review shows that you'll need to update which pocket this update will go into (precise-security), as well as other cosmetic changes to the changelog. Additionally, you should add the appropriate DEP-3 patch tags to debian/patches/security-text-command-fix.patch.

Once that is complete, please set the bug status to confirmed, unassign yourself, and subscribe ubuntu-security-sponsors. Thanks!

Changed in redeclipse (Ubuntu):
assignee: nobody → Martin Erik Werner (arand)
status: New → Incomplete
visibility: private → public
Revision history for this message
Martin Erik Werner (arand) wrote :

Tyler Hicks: the pocket and changelog should already be fixed, I've added two commits updating the maintainer and tweaking the patch header, hopefully it's all good now?

I have built and upgraded redeclipse successfully on precise.

I have also tested starting the game, playing it briefly, and checked that saving a text file via the standard options->autoexec.cfg texteditor works.

I have NOT tested any proof-of-concept confirming that the security fix itself does what it is intended to do. I have only done tests which would indicate that the package works without regressions.

Removing the quantal branch since it has already been synced from Debian.

Changed in redeclipse (Ubuntu):
status: Incomplete → Confirmed
assignee: Martin Erik Werner (arand) → nobody
Revision history for this message
Martin Erik Werner (arand) wrote :
Bug Watch Updater (bug-watch-updater)
Changed in redeclipse (Debian):
status: Unknown → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, changes look good. I'll get this in the pipeline to go out.

Changed in redeclipse (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package redeclipse - 1.2-2ubuntu0.1

---------------
redeclipse (1.2-2ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE:
    Game maps can in cube2-engine games be transmitted either from server
    to client or from client to client, which includes a config file
    (mapname.cfg) which is in "cubescript" format, this makes it possible
    for an attacker to send a malign script via a new map (which must be
    chosen by admin on a server, or created in cooperative editing mode). A
    script like this could trivially read/write to any files which the user
    running the client has access to (it is executed when the client loads
    the map). (LP: #1034148)
    - Add debian/patches/security-text-command-fix.patch
      This patch stops "textedit" commands being able to be run in map-run
      scripts, thus disabling the ability to read/write to user files.
 -- Martin Erik Werner <email address hidden> Thu, 02 Aug 2012 15:01:30 +0200

Changed in redeclipse (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

redeclipse-1.2-12.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Bug Watch Updater (bug-watch-updater)
Changed in redeclipse (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.