Package: iortcw | Debian Sources

Package: iortcw / 1.51.b+dfsg1-3

Metadata

Package	Version	Patches format
iortcw	1.51.b+dfsg1-3	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
debian/Disable client side auto download by default.patch \| (download)	MP/code/client/cl_main.c \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	disable client-side auto-download by default This feature is a security risk: it downloads executable bytecode. The interpreter is sandboxed, but a reasonably determined attacker can probably break out. Upstream rejected changes in this direction, but we want them in Debian anyway.
debian/File access methods prevent overwriting DLLs CVE 201.patch \| (download)	MP/code/qcommon/files.c \| 12 8 + 4 - 0 ! SP/code/qcommon/files.c \| 10 10 + 0 - 0 ! 2 files changed, 18 insertions(+), 4 deletions(-)	file access methods: prevent overwriting dlls (cve-2011-3012) This is a known feature regression: it prevents mod DLLs from being unpacked from PK3 files (FS_CL_ExtractFromPakFile), making it considerably harder to install mods that contain arbitrary native code (such as those designed for retail RTCW). The opposite change, re-introducing the vulnerability, was made in commit <https://code.google.com/p/iortcw/source/detail?r=133> in order to fix FS_CL_ExtractFromPakFile. However, the feature that regresses here cannot be supported without re-introducing Quake III engine vulnerability CVE-2011-3012, and breaking some mods seems like a lesser evil than letting auto-downloads execute arbitrary and potentially malicious native code, either via a direct unpack of native code or via QVM code being allowed to open and write a file with the platform's DLL extension. FS_CL_ExtractFromPakFile relies on the vulnerable behaviour and is useless without it, so stub that out too. Add the same checks in SP file-copying code, for completeness (although in practice SP should never execute code not provided by either the retail RTCW binaries, iortcw or a deliberately-installed mod, because auto-downloading from a server is not applicable there). Upstream rejected this change, but we want it in Debian anyway.
debian/Remove support for downloading executable updates.patch \| (download)	MP/code/client/cl_main.c \| 163 2 + 161 - 0 ! MP/code/qcommon/qcommon.h \| 6 0 + 6 - 0 ! MP/code/sys/sys_unix.c \| 20 0 + 20 - 0 ! 3 files changed, 2 insertions(+), 187 deletions(-)	remove support for downloading executable updates This was off by default, which is good, because downloading and running unauthenticated code is a serious security issue. Upstream rejected changes in this direction, but we want them in Debian anyway.

Patch

File delta

Description

debian/Disable client side auto download by default.patch | (download)

MP/code/client/cl_main.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 disable client-side auto-download by default

This feature is a security risk: it downloads executable bytecode.
The interpreter is sandboxed, but a reasonably determined attacker
can probably break out.

Upstream rejected changes in this direction, but we want them in Debian
anyway.

debian/File access methods prevent overwriting DLLs CVE 201.patch | (download)

MP/code/qcommon/files.c | 12 8 + 4 - 0 !
SP/code/qcommon/files.c | 10 10 + 0 - 0 !
2 files changed, 18 insertions(+), 4 deletions(-)

 file access methods: prevent overwriting dlls (cve-2011-3012)

This is a known feature regression: it prevents mod DLLs from being
unpacked from PK3 files (FS_CL_ExtractFromPakFile), making it
considerably harder to install mods that contain arbitrary native
code (such as those designed for retail RTCW). The opposite
change, re-introducing the vulnerability, was made in commit
<https://code.google.com/p/iortcw/source/detail?r=133> in order
to fix FS_CL_ExtractFromPakFile.

However, the feature that regresses here cannot be supported without
re-introducing Quake III engine vulnerability CVE-2011-3012, and
breaking some mods seems like a lesser evil than letting
auto-downloads execute arbitrary and potentially malicious native
code, either via a direct unpack of native code or via QVM code
being allowed to open and write a file with the platform's DLL
extension.

FS_CL_ExtractFromPakFile relies on the vulnerable behaviour and is
useless without it, so stub that out too.

Add the same checks in SP file-copying code, for completeness
(although in practice SP should never execute code not provided by
either the retail RTCW binaries, iortcw or a deliberately-installed
mod, because auto-downloading from a server is not applicable there).

Upstream rejected this change, but we want it in Debian anyway.

debian/Remove support for downloading executable updates.patch | (download)

MP/code/client/cl_main.c | 163 2 + 161 - 0 !
MP/code/qcommon/qcommon.h | 6 0 + 6 - 0 !
MP/code/sys/sys_unix.c | 20 0 + 20 - 0 !
3 files changed, 2 insertions(+), 187 deletions(-)

 remove support for downloading executable updates

This was off by default, which is good, because downloading
and running unauthenticated code is a serious security issue.

Upstream rejected changes in this direction, but we want them
in Debian anyway.