Package: iortcw / 1.50a+dfsg1-3+deb9u1

Metadata

Package Version Patches format
iortcw 1.50a+dfsg1-3+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
security/All Don t load .pk3s as .dlls and don t load user config .patch | (download)

MP/code/client/cl_main.c | 4 2 + 2 - 0 !
MP/code/qcommon/files.c | 6 6 + 0 - 0 !
MP/code/sys/sys_main.c | 7 7 + 0 - 0 !
SP/code/client/cl_main.c | 4 2 + 2 - 0 !
SP/code/qcommon/files.c | 6 6 + 0 - 0 !
SP/code/sys/sys_main.c | 7 7 + 0 - 0 !
6 files changed, 30 insertions(+), 4 deletions(-)

 all: don't load .pk3s as .dlls,
 and don't load user config files from .pk3s

security/All Don t open .pk3 files as OpenAL drivers.patch | (download)

MP/code/client/snd_openal.c | 8 7 + 1 - 0 !
SP/code/client/snd_openal.c | 8 7 + 1 - 0 !
2 files changed, 14 insertions(+), 2 deletions(-)

 all: don't open .pk3 files as openal drivers

security/All Merge some file writing extension checks.patch | (download)

MP/code/client/cl_console.c | 6 6 + 0 - 0 !
MP/code/qcommon/common.c | 6 6 + 0 - 0 !
SP/code/client/cl_console.c | 6 6 + 0 - 0 !
SP/code/qcommon/common.c | 6 6 + 0 - 0 !
4 files changed, 24 insertions(+)

 all: merge some file writing extension checks

Don t require .git index to exist.patch | (download)

MP/Makefile | 2 2 + 0 - 0 !
SP/Makefile | 2 2 + 0 - 0 !
2 files changed, 4 insertions(+)

 don't require .git/index to exist

This is normally conditional on ../.git existing, but that check was
(mistakenly?) removed when releasing v1.5a.

security/All Fix improve buffer overflow in MSG_ReadBits MSG_Write.patch | (download)

MP/code/qcommon/huffman.c | 49 28 + 21 - 0 !
MP/code/qcommon/msg.c | 45 36 + 9 - 0 !
MP/code/qcommon/qcommon.h | 6 3 + 3 - 0 !
SP/code/qcommon/huffman.c | 49 28 + 21 - 0 !
SP/code/qcommon/msg.c | 65 47 + 18 - 0 !
SP/code/qcommon/qcommon.h | 6 3 + 3 - 0 !
6 files changed, 145 insertions(+), 75 deletions(-)

 all: fix/improve buffer overflow in msg_readbits/msg_writebits

debian/Disable client side auto download by default.patch | (download)

MP/code/client/cl_main.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 disable client-side auto-download by default

This feature is a security risk: it downloads executable bytecode.
The interpreter is sandboxed, but a reasonably determined attacker
can probably break out.

Upstream rejected changes in this direction, but we want them in Debian
anyway.

debian/File access methods prevent overwriting DLLs CVE 201.patch | (download)

MP/code/qcommon/files.c | 12 8 + 4 - 0 !
SP/code/qcommon/files.c | 10 10 + 0 - 0 !
2 files changed, 18 insertions(+), 4 deletions(-)

 file access methods: prevent overwriting dlls (cve-2011-3012)

This is a known feature regression: it prevents mod DLLs from being
unpacked from PK3 files (FS_CL_ExtractFromPakFile), making it
considerably harder to install mods that contain arbitrary native
code (such as those designed for retail RTCW). The opposite
change, re-introducing the vulnerability, was made in commit
<https://code.google.com/p/iortcw/source/detail?r=133> in order
to fix FS_CL_ExtractFromPakFile.

However, the feature that regresses here cannot be supported without
re-introducing Quake III engine vulnerability CVE-2011-3012, and
breaking some mods seems like a lesser evil than letting
auto-downloads execute arbitrary and potentially malicious native
code, either via a direct unpack of native code or via QVM code
being allowed to open and write a file with the platform's DLL
extension.

FS_CL_ExtractFromPakFile relies on the vulnerable behaviour and is
useless without it, so stub that out too.

Add the same checks in SP file-copying code, for completeness
(although in practice SP should never execute code not provided by
either the retail RTCW binaries, iortcw or a deliberately-installed
mod, because auto-downloading from a server is not applicable there).

Upstream rejected this change, but we want it in Debian anyway.

debian/Remove support for downloading executable updates.patch | (download)

MP/code/client/cl_main.c | 163 2 + 161 - 0 !
MP/code/qcommon/qcommon.h | 6 0 + 6 - 0 !
MP/code/sys/sys_unix.c | 22 0 + 22 - 0 !
3 files changed, 2 insertions(+), 189 deletions(-)

 remove support for downloading executable updates

This was off by default, which is good, because downloading
and running unauthenticated code is a serious security issue.

Upstream rejected changes in this direction, but we want them
in Debian anyway.