[SCM] Packaging for the OpenArena engine branch, debian-squeeze, updated. debian/0.8.5-5-2-gf2feedc

Simon McVittie smcv at debian.org
Thu Jul 28 13:35:43 UTC 2011 

The following commit has been merged in the debian-squeeze branch:
commit 86f4d94641ee0bdbd9165dd03be082530e2f35a0
Author: Simon McVittie <smcv at debian.org>
Date:   Mon Jul 25 22:53:44 2011 +0100

    Apply upstream r2098 to fix arbitrary code execution by malicious QVM bytecode, which could be auto-downloaded from a malicious server if enabled. CVE-2011-2764

diff --git a/debian/changelog b/debian/changelog
index df2dd86..4773173 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openarena (0.8.5-5+squeeze1) UNRELEASED; urgency=low
+
+  * Apply upstream r2098 to fix arbitrary code execution by malicious QVM
+    bytecode, which could be auto-downloaded from a malicious server
+    if enabled. CVE-2011-2764
+
+ -- Simon McVittie <smcv at debian.org>  Mon, 25 Jul 2011 22:52:33 +0100
+
 openarena (0.8.5-5) unstable; urgency=medium
 
   * Add patch (already upstream as oax r239) to fix a crash if a non-client
diff --git a/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch
new file mode 100644
index 0000000..8f6dc9a
--- /dev/null
+++ b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch
@@ -0,0 +1,77 @@
+From: Thilo Schulz <thilo>
+Date: Sun, 24 Jul 2011 22:12:21 +0000
+Subject: Fix extension name comparison for DLL files
+
+[This might make it possible for gamecode to write out a malicious DLL file
+which would be executed if vm_game = 0. Present in r1499, so v1.36 was
+already vulnerable. This is a backport to r1759 -smcv]
+
+Origin: upstream, commit:2098
+Applied-upstream: 1.37
+Bug-CVE: CVE-2011-2764
+---
+ engine/code/qcommon/files.c    |    2 +-
+ engine/code/qcommon/q_shared.c |   24 ++++++++++++++++++++++++
+ engine/code/qcommon/q_shared.h |    1 +
+ 3 files changed, 26 insertions(+), 1 deletions(-)
+
+diff --git a/engine/code/qcommon/files.c b/engine/code/qcommon/files.c
+index 5fca431..e343554 100644
+--- a/engine/code/qcommon/files.c
++++ b/engine/code/qcommon/files.c
+@@ -530,7 +530,7 @@ static void FS_CheckFilenameIsNotExecutable( const char *filename,
+ 		const char *function )
+ {
+ 	// Check if the filename ends with the library extension
+-	if( !Q_stricmp( COM_GetExtension( filename ), DLL_EXT ) )
++	if(COM_CompareExtension(filename, DLL_EXT))
+ 	{
+ 		Com_Error( ERR_FATAL, "%s: Not allowed to manipulate '%s' due "
+ 			"to %s extension\n", function, filename, DLL_EXT );
+diff --git a/engine/code/qcommon/q_shared.c b/engine/code/qcommon/q_shared.c
+index 550d100..50d4479 100644
+--- a/engine/code/qcommon/q_shared.c
++++ b/engine/code/qcommon/q_shared.c
+@@ -96,6 +96,30 @@ void COM_StripExtension( const char *in, char *out, int destsize ) {
+ 		out[length] = 0;
+ }
+ 
++/*
++============
++COM_CompareExtension
++
++string compare the end of the strings and return qtrue if strings match
++============
++*/
++qboolean COM_CompareExtension(const char *in, const char *ext)
++{
++	int inlen, extlen;
++	
++	inlen = strlen(in);
++	extlen = strlen(ext);
++	
++	if(extlen <= inlen)
++	{
++		in += inlen - extlen;
++		
++		if(!Q_stricmp(in, ext))
++			return qtrue;
++	}
++	
++	return qfalse;
++}
+ 
+ /*
+ ==================
+diff --git a/engine/code/qcommon/q_shared.h b/engine/code/qcommon/q_shared.h
+index e2f9f01..b2ee019 100644
+--- a/engine/code/qcommon/q_shared.h
++++ b/engine/code/qcommon/q_shared.h
+@@ -623,6 +623,7 @@ float Com_Clamp( float min, float max, float value );
+ char	*COM_SkipPath( char *pathname );
+ const char	*COM_GetExtension( const char *name );
+ void	COM_StripExtension(const char *in, char *out, int destsize);
++qboolean COM_CompareExtension(const char *in, const char *ext);
+ void	COM_DefaultExtension( char *path, int maxSize, const char *extension );
+ 
+ void	COM_BeginParseSession( const char *name );
diff --git a/debian/patches/series b/debian/patches/series
index 9a9f298..b23fbea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+0001-Fix-extension-name-comparison-for-DLL-files.patch
 0001-OpenArena-branding-change-SDL-window-Quake-3-icon-to.patch
 0002-Use-OpenArena-directory-names-in-HOME-on-Unix-Window.patch
 0003-Replace-the-conditionalized-hard-coded-names-in-q_sh.patch

-- 
Packaging for the OpenArena engine

More information about the Pkg-games-commits mailing list