[SCM] Packaging for the OpenArena engine branch, debian-squeeze, updated. debian/0.8.5-5-2-gf2feedc
Simon McVittie
smcv at debian.org
Thu Jul 28 13:35:43 UTC 2011
The following commit has been merged in the debian-squeeze branch:
commit 86f4d94641ee0bdbd9165dd03be082530e2f35a0
Author: Simon McVittie <smcv at debian.org>
Date: Mon Jul 25 22:53:44 2011 +0100
Apply upstream r2098 to fix arbitrary code execution by malicious QVM bytecode, which could be auto-downloaded from a malicious server if enabled. CVE-2011-2764
diff --git a/debian/changelog b/debian/changelog
index df2dd86..4773173 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openarena (0.8.5-5+squeeze1) UNRELEASED; urgency=low
+
+ * Apply upstream r2098 to fix arbitrary code execution by malicious QVM
+ bytecode, which could be auto-downloaded from a malicious server
+ if enabled. CVE-2011-2764
+
+ -- Simon McVittie <smcv at debian.org> Mon, 25 Jul 2011 22:52:33 +0100
+
openarena (0.8.5-5) unstable; urgency=medium
* Add patch (already upstream as oax r239) to fix a crash if a non-client
diff --git a/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch
new file mode 100644
index 0000000..8f6dc9a
--- /dev/null
+++ b/debian/patches/0001-Fix-extension-name-comparison-for-DLL-files.patch
@@ -0,0 +1,77 @@
+From: Thilo Schulz <thilo>
+Date: Sun, 24 Jul 2011 22:12:21 +0000
+Subject: Fix extension name comparison for DLL files
+
+[This might make it possible for gamecode to write out a malicious DLL file
+which would be executed if vm_game = 0. Present in r1499, so v1.36 was
+already vulnerable. This is a backport to r1759 -smcv]
+
+Origin: upstream, commit:2098
+Applied-upstream: 1.37
+Bug-CVE: CVE-2011-2764
+---
+ engine/code/qcommon/files.c | 2 +-
+ engine/code/qcommon/q_shared.c | 24 ++++++++++++++++++++++++
+ engine/code/qcommon/q_shared.h | 1 +
+ 3 files changed, 26 insertions(+), 1 deletions(-)
+
+diff --git a/engine/code/qcommon/files.c b/engine/code/qcommon/files.c
+index 5fca431..e343554 100644
+--- a/engine/code/qcommon/files.c
++++ b/engine/code/qcommon/files.c
+@@ -530,7 +530,7 @@ static void FS_CheckFilenameIsNotExecutable( const char *filename,
+ const char *function )
+ {
+ // Check if the filename ends with the library extension
+- if( !Q_stricmp( COM_GetExtension( filename ), DLL_EXT ) )
++ if(COM_CompareExtension(filename, DLL_EXT))
+ {
+ Com_Error( ERR_FATAL, "%s: Not allowed to manipulate '%s' due "
+ "to %s extension\n", function, filename, DLL_EXT );
+diff --git a/engine/code/qcommon/q_shared.c b/engine/code/qcommon/q_shared.c
+index 550d100..50d4479 100644
+--- a/engine/code/qcommon/q_shared.c
++++ b/engine/code/qcommon/q_shared.c
+@@ -96,6 +96,30 @@ void COM_StripExtension( const char *in, char *out, int destsize ) {
+ out[length] = 0;
+ }
+
++/*
++============
++COM_CompareExtension
++
++string compare the end of the strings and return qtrue if strings match
++============
++*/
++qboolean COM_CompareExtension(const char *in, const char *ext)
++{
++ int inlen, extlen;
++
++ inlen = strlen(in);
++ extlen = strlen(ext);
++
++ if(extlen <= inlen)
++ {
++ in += inlen - extlen;
++
++ if(!Q_stricmp(in, ext))
++ return qtrue;
++ }
++
++ return qfalse;
++}
+
+ /*
+ ==================
+diff --git a/engine/code/qcommon/q_shared.h b/engine/code/qcommon/q_shared.h
+index e2f9f01..b2ee019 100644
+--- a/engine/code/qcommon/q_shared.h
++++ b/engine/code/qcommon/q_shared.h
+@@ -623,6 +623,7 @@ float Com_Clamp( float min, float max, float value );
+ char *COM_SkipPath( char *pathname );
+ const char *COM_GetExtension( const char *name );
+ void COM_StripExtension(const char *in, char *out, int destsize);
++qboolean COM_CompareExtension(const char *in, const char *ext);
+ void COM_DefaultExtension( char *path, int maxSize, const char *extension );
+
+ void COM_BeginParseSession( const char *name );
diff --git a/debian/patches/series b/debian/patches/series
index 9a9f298..b23fbea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+0001-Fix-extension-name-comparison-for-DLL-files.patch
0001-OpenArena-branding-change-SDL-window-Quake-3-icon-to.patch
0002-Use-OpenArena-directory-names-in-HOME-on-Unix-Window.patch
0003-Replace-the-conditionalized-hard-coded-names-in-q_sh.patch
--
Packaging for the OpenArena engine
More information about the Pkg-games-commits
mailing list