Package: iortcw / 1.51.b+dfsg1-3
Patch seriesview the series file
|debian/Disable client side auto download by default.patch | (download)||
2 1 + 1 - 0 !
disable client-side auto-download by default This feature is a security risk: it downloads executable bytecode. The interpreter is sandboxed, but a reasonably determined attacker can probably break out. Upstream rejected changes in this direction, but we want them in Debian anyway.
|debian/File access methods prevent overwriting DLLs CVE 201.patch | (download)||
file access methods: prevent overwriting dlls (cve-2011-3012) This is a known feature regression: it prevents mod DLLs from being unpacked from PK3 files (FS_CL_ExtractFromPakFile), making it considerably harder to install mods that contain arbitrary native code (such as those designed for retail RTCW). The opposite change, re-introducing the vulnerability, was made in commit <https://code.google.com/p/iortcw/source/detail?r=133> in order to fix FS_CL_ExtractFromPakFile. However, the feature that regresses here cannot be supported without re-introducing Quake III engine vulnerability CVE-2011-3012, and breaking some mods seems like a lesser evil than letting auto-downloads execute arbitrary and potentially malicious native code, either via a direct unpack of native code or via QVM code being allowed to open and write a file with the platform's DLL extension. FS_CL_ExtractFromPakFile relies on the vulnerable behaviour and is useless without it, so stub that out too. Add the same checks in SP file-copying code, for completeness (although in practice SP should never execute code not provided by either the retail RTCW binaries, iortcw or a deliberately-installed mod, because auto-downloading from a server is not applicable there). Upstream rejected this change, but we want it in Debian anyway.
|debian/Remove support for downloading executable updates.patch | (download)||
remove support for downloading executable updates This was off by default, which is good, because downloading and running unauthenticated code is a serious security issue. Upstream rejected changes in this direction, but we want them in Debian anyway.