[tremulous] fix #796362 - fixed CVE-2011-2764 and CVE-2011-3012

Thu Feb 23 09:42:19 UTC 2012

commit dc8a083a812eb3a5a72cc14f51589d8b70ca1e5c
Author: Jan Kaluza <hanzz.k at gmail.com>
Date:   Thu Feb 23 10:37:17 2012 +0100

    fix #796362 - fixed CVE-2011-2764 and CVE-2011-3012

 tremulous-1.2.0-dll-overwrite.patch |   60 +++++++++++++++++++++++++++++++++++
 tremulous.spec                      |    7 +++-
 2 files changed, 66 insertions(+), 1 deletions(-)
---

diff --git a/tremulous-1.2.0-dll-overwrite.patch b/tremulous-1.2.0-dll-overwrite.patch
new file mode 100644
index 0000000..5be8293
--- /dev/null
+++ b/tremulous-1.2.0-dll-overwrite.patch
@@ -0,0 +1,60 @@
+diff --git a/src/qcommon/files.c b/src/qcommon/files.c
+index 656b8fb..afeeb9b 100644
+--- a/src/qcommon/files.c
++++ b/src/qcommon/files.c
+@@ -531,7 +531,7 @@ static void FS_CheckFilenameIsNotExecutable( const char *filename,
+ 		const char *function )
+ {
+ 	// Check if the filename ends with the library extension
+-	if( !Q_stricmp( COM_GetExtension( filename ), DLL_EXT ) )
++	if(COM_CompareExtension(filename, DLL_EXT))
+ 	{
+ 		Com_Error( ERR_FATAL, "%s: Not allowed to manipulate '%s' due "
+ 			"to %s extension\n", function, filename, DLL_EXT );
+diff --git a/src/qcommon/q_shared.c b/src/qcommon/q_shared.c
+index 59ddf2e..c6ab101 100644
+--- a/src/qcommon/q_shared.c
++++ b/src/qcommon/q_shared.c
+@@ -97,6 +97,30 @@ void COM_StripExtension( const char *in, char *out, int destsize ) {
+ 		out[length] = 0;
+ }
+ 
++/*
++============
++COM_CompareExtension
++
++string compare the end of the strings and return qtrue if strings match
++============
++*/
++qboolean COM_CompareExtension(const char *in, const char *ext)
++{
++	int inlen, extlen;
++	
++	inlen = strlen(in);
++	extlen = strlen(ext);
++	
++	if(extlen <= inlen)
++	{
++		in += inlen - extlen;
++		
++		if(!Q_stricmp(in, ext))
++			return qtrue;
++	}
++	
++	return qfalse;
++}
+ 
+ /*
+ ==================
+diff --git a/src/qcommon/q_shared.h b/src/qcommon/q_shared.h
+index e1b166a..2456b81 100644
+--- a/src/qcommon/q_shared.h
++++ b/src/qcommon/q_shared.h
+@@ -693,6 +693,7 @@ float Com_Clamp( float min, float max, float value );
+ char	*COM_SkipPath( char *pathname );
+ const char	*COM_GetExtension( const char *name );
+ void	COM_StripExtension(const char *in, char *out, int destsize);
++qboolean COM_CompareExtension(const char *in, const char *ext);
+ void	COM_DefaultExtension( char *path, int maxSize, const char *extension );
+ 
+ void	COM_BeginParseSession( const char *name );
diff --git a/tremulous.spec b/tremulous.spec
index 88b613f..f1d237b 100644
--- a/tremulous.spec
+++ b/tremulous.spec
@@ -1,6 +1,6 @@
 Name:           tremulous
 Version:        1.2.0
-Release:        0.3.beta1%{?dist}
+Release:        0.4.beta1%{?dist}
 Summary:        First Person Shooter game based on the Quake 3 engine
 Group:          Amusements/Games
 License:        GPLv2+
@@ -12,6 +12,7 @@ URL:            http://tremulous.net
 Source0:        tremulous-1.2.0.beta1.tar.gz
 Source1:        %{name}.desktop
 Source2:        %{name}.png
+Patch0:         tremulous-1.2.0-dll-overwrite.patch
 BuildRequires:  desktop-file-utils SDL-devel openal-soft-devel libvorbis-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  libcurl-devel
@@ -42,6 +43,7 @@ removing their ability to respawn by destroying their spawn structures.
 
 %prep
 %setup -q -n tremulous-1.2.beta1
+%patch0 -p1 -b .dll-overwrite
 
 # Rip out the bundled libraries and use the
 # system versions instead
@@ -96,6 +98,9 @@ fi
 %{_datadir}/icons/hicolor/48x48/apps/%{name}.png
 
 %changelog
+* Thu Feb 23 2012 Jan Kaluza <jkaluza at redhat.com> - 1.2.0-0.4.beta1
+- fix #796362 - fixed CVE-2011-2764 and CVE-2011-3012
+
 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.2.0-0.3.beta1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
