Makefile | 1537 1537 + 0 - 0 !
1 file changed, 1537 insertions(+)

 [patch] add upstream makefile

Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] avoid building game logic as qvms

Makefile | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] don't build q3lcc

src/client/cl_main.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch] use $user as default player name

src/qcommon/vm_interpreted.c | 14 4 + 10 - 0 !
1 file changed, 4 insertions(+), 10 deletions(-)

 [patch] fix unaligned access issue

Bug: http://bugzilla.icculus.org/show_bug.cgi?id=3756
Bug-Debian: http://bugs.debian.org/382121

src/botlib/l_precomp.c | 2 1 + 1 - 0 !
src/botlib/l_script.c | 4 2 + 2 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 [patch] fix abuse of strcpy (overlapping source and dest)

src/ui/ui_main.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] fix to disappearing cursor on map load com_error bug

ui/joinserver.menu | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fixed sort by ping

Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] disable jit qvm compiler on x86-64

It seems to crash on startup, and probably needs merging from ioquake3.
I don't speak assembler, so let's use the tried-and-tested interpreter
instead...

src/server/sv_client.c | 51 43 + 8 - 0 !
1 file changed, 43 insertions(+), 8 deletions(-)

 cve-2006-2082 - do not allow download of arbitrary files from a
 server

Any file readable by the server user could be read, via ../ sequences.

Original patches by Thilo Schulz, ioquake3 r777 (which fixed the
vulnerability) and r781 (which fixed a regression in r777 where
uninitialized variables led to some allowed downloads being rejected too).

src/cgame/cg_weapons.c | 6 3 + 3 - 0 !
src/client/cl_main.c | 2 1 + 1 - 0 !
src/qcommon/files.c | 2 1 + 1 - 0 !
src/qcommon/q_shared.c | 6 4 + 2 - 0 !
src/qcommon/q_shared.h | 2 1 + 1 - 0 !
src/qcommon/vm.c | 2 1 + 1 - 0 !
src/renderer/tr_bsp.c | 2 1 + 1 - 0 !
src/renderer/tr_shader.c | 6 3 + 3 - 0 !
src/ui/ui_main.c | 2 1 + 1 - 0 !
src/ui/ui_players.c | 4 2 + 2 - 0 !
10 files changed, 18 insertions(+), 16 deletions(-)

 cve-2006-2236 - add bounds-checking to com_stripextension

This fixes the "remapShader" exploit by backporting ioquake3 r765, with
a further change to avoid strncpy'ing a string into itself.
Original patch by Thilo Schulz.

src/client/cl_parse.c | 28 20 + 8 - 0 !
1 file changed, 20 insertions(+), 8 deletions(-)

 cve-2006-2875 - fix stack buffer overflow in cl_parsedownload

This is exploitable by a modified server. Original patch by Thilo
Schulz, ioquake3 r796.

src/qcommon/files.c | 51 39 + 12 - 0 !
1 file changed, 39 insertions(+), 12 deletions(-)

 cve-2006-3324 - fix arbitrary file overwrite on client by malicious
 server

Original patches by Thilo Schulz, ioquake3 r790, r794, r804.
This commit also includes "a few sanity checks for checksum/pakname storage
to fix a crash that can occur under certain circumstances", from r804
and r805.

Bug-Debian: http://bugs.debian.org/660832
Bug-CVE: http://security-tracker.debian.org/tracker/CVE-2006-3324

src/client/cl_parse.c | 23 21 + 2 - 0 !
src/qcommon/cvar.c | 14 14 + 0 - 0 !
src/qcommon/files.c | 19 18 + 1 - 0 !
src/qcommon/q_shared.h | 3 3 + 0 - 0 !
src/qcommon/qcommon.h | 4 4 + 0 - 0 !
5 files changed, 60 insertions(+), 3 deletions(-)

 cve-2006-3325: fix arbitrary cvar overwriting

Original patch by Thilo Schulz, ioquake3 r811.

Bug-Debian: http://bugs.debian.org/660834
Bug-CVE: http://security-tracker.debian.org/tracker/CVE-2006-3325

src/qcommon/files.c | 34 34 + 0 - 0 !
src/qcommon/q_shared.c | 24 24 + 0 - 0 !
src/qcommon/q_shared.h | 1 1 + 0 - 0 !
3 files changed, 59 insertions(+)

 cve-2011-3012, cve-2011-2764 - backport from ioquake3 to prevent dll
 overwriting

This is a backport of several patches:

* part of ioquake3 r1405, from TsT (attempt to prevent DLL overwriting,
  CVE-2011-3012)
* part of ioquake3 r1456, from Patrick Baggett (using __func__)
* ioquake3 r1499, from Tim Angus (fix potential buffer underrun)
* ioquake3 r2098, from Thilo Schulz (fix incomplete DLL overwrite prevention
  in previous commits, CVE-2011-2764)

src/client/cl_main.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 always behave as if cl_allowdownload was false

Even in current versions of ioquake3, it is not at all obvious whether
running untrusted bytecode is safe. In this older version, it's certainly
not safe, so let's knock out auto-downloading functionality.

src/unix/unix_main.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 sys_error: do not overflow if an error message exceeds 1024
 characters

Backport of ioquake3 r1141 by Thilo Schulz. Not known to be exploitable,
but it can't hurt.

If this turns out to be exploitable, please mention ioquake3 r1141
prominently in any advisory.

src/botlib/be_aas_main.c | 2 1 + 1 - 0 !
src/botlib/l_script.c | 2 1 + 1 - 0 !
src/client/cl_cgame.c | 2 1 + 1 - 0 !
src/client/cl_main.c | 2 1 + 1 - 0 !
src/client/cl_parse.c | 2 1 + 1 - 0 !
src/game/g_combat.c | 6 3 + 3 - 0 !
src/ui/ui_main.c | 4 2 + 2 - 0 !
7 files changed, 10 insertions(+), 10 deletions(-)

 avoid non-literal format strings

This is a precautionary measure against potential exploits; none of these
instances is known to be exploitable.

src/botlib/be_aas_main.h | 2 1 + 1 - 0 !
src/botlib/botlib.h | 2 1 + 1 - 0 !
src/botlib/l_log.h | 4 2 + 2 - 0 !
src/botlib/l_precomp.h | 4 2 + 2 - 0 !
src/botlib/l_script.h | 4 2 + 2 - 0 !
src/cgame/cg_local.h | 4 2 + 2 - 0 !
src/game/bg_lib.h | 2 1 + 1 - 0 !
src/game/g_local.h | 6 3 + 3 - 0 !
src/master/common.h | 2 1 + 1 - 0 !
src/qcommon/q_shared.h | 12 6 + 6 - 0 !
src/qcommon/qcommon.h | 10 5 + 5 - 0 !
src/renderer/tr_public.h | 4 2 + 2 - 0 !
src/server/server.h | 2 1 + 1 - 0 !
src/ui/ui_shared.h | 4 2 + 2 - 0 !
14 files changed, 31 insertions(+), 31 deletions(-)

 annotate printf- and scanf-like functions with gcc attributes

This isn't necessarily suitable for upstream (non-portable) but it
makes -Werror=format-security work better.

src/server/sv_main.c | 202 196 + 6 - 0 !
1 file changed, 196 insertions(+), 6 deletions(-)

 rate limit getstatus and rcon connectionless requests

Backport of ioquake3 r1762, r1763, r1898, all by Tim Angus <tma>. This
also incorporates a fix for a regression in r1762 in which the server would
stop responding to getstatus after 2**32 ms (about 50 days).

Changes to adapt to Tremulous:

* Remove IPv6 support, Tremulous 1.1.0 does not do IPv6
* Do not assume that NA_BAD == 0 (in this older version it's 1),
  look for literal 0 as the indication that a hash bucket has only been
  zero-filled and not properly initialized
* Remove cosmetic (whitespace/comment) changes