CVE Request -- Quake II Server -- two security issues affecting also Alien Arena

[Jan Lieskovsky <jlieskov () redhat com>]

Hi Steve, vendors,

  (based on [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575621)

Richard Stanway posted on QuakeDev Forums page:
  [2] http://www.quakedev.com/forums/index.php?topic=53.0

two new vulnerabilities affecting also code, as present
in Alien Arena (from [2]):

  A, "Multiple auto downloading DoS conditions:
      By supplying various invalid parameters to the download command,
      it is possible to cause a DoS condition by causing the server to
      crash. A path ending in . or / will crash on Linux. Supplying
      a negative offset will cause a crash on all platforms."

  Proposed patch:
  ----------------
    [3] http://corent.proboards.com/index.cgi?action=gotopost&board=bugreport&thread=4761&post=44624

  Public PoC ([4] http://corent.proboards.com/index.cgi?action=gotopost&board=bugreport&thread=4761&post=44611):
  -----------
    cmd download maps/tca-zion.bsp -123456789

  CVSSv2 Score: 4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
  -------------

  B, "Server-side cvar expansion:
      By passing an unexpanded string containing $macros to the
      server, the server will expand it using it's cvars. This can
      be used to leak sensitive information such as the rcon_password cvar."

  Proposed patch: N/A
  ---------------

  Richard, is there a patch for this issue yet?

  Public PoC: [5] http://www.quakedev.com/forums/index.php?topic=53.0
  -----------
  At the client console: "say $rcon_password"

  CVSSv2 Score: 4.0/ AV:N/AC:L/Au:S/C:P/I:N/A:N
  -------------

Regarding the B, issue -- not completely sure alienarena-server supports "server-side cvar expansion"
(but assuming so). Richard, could you please clarify this?

Steve, could you allocate the CVE ids for these two issues? (once issue B, confirmed).

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team