[SCM] team based FPS game - packaging branch, debian, updated. debian/1.1.0-5-4-gdb361a5

Simon McVittie smcv at debian.org
Wed Feb 22 09:40:38 UTC 2012 

The following commit has been merged in the debian branch:
commit 54e6acce05572060ce1a6e09fbd7a38981cc29a9
Author: Simon McVittie <smcv at debian.org>
Date:   Mon Feb 20 23:04:07 2012 +0000

    As a precaution, disable auto-downloading

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..1a9d26b
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,16 @@
+tremulous (1.1.0-6) UNRELEASED; urgency=medium
+
+  This version of Tremulous is based on an older version of the Quake III
+  Arena engine, which has no protection against malicious bytecode programs.
+  It is not safe or secure when used with untrusted PK3 files.
+
+  As a result, the Debian version of Tremulous no longer allows automatic
+  downloading of PK3 files from game servers. The "Auto Download" menu
+  option (the cl_allowDownload variable) still exists, but has no effect,
+  and the engine always behaves as if it was set to 0. You may find that
+  you are unable to join servers that use a modified version of Tremulous.
+
+  Please treat all PK3 files as if they were executable programs, and only
+  install them from trusted sources.
+
+ -- Simon McVittie <smcv at debian.org>  Sun, 11 Dec 2011 17:52:26 +0000
diff --git a/debian/changelog b/debian/changelog
index 8413f29..98d0bd8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ tremulous (1.1.0-6) UNRELEASED; urgency=medium
     - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
       code execution) in clients of a malicious server if auto-downloading
       is enabled
+  * As a precaution, disable auto-downloading
 
  -- Simon McVittie <smcv at debian.org>  Sun, 11 Dec 2011 17:35:38 +0000
 
diff --git a/debian/patches/0016-Always-behave-as-if-cl_allowDownload-was-false.patch b/debian/patches/0016-Always-behave-as-if-cl_allowDownload-was-false.patch
new file mode 100644
index 0000000..f6967f8
--- /dev/null
+++ b/debian/patches/0016-Always-behave-as-if-cl_allowDownload-was-false.patch
@@ -0,0 +1,39 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Mon, 20 Feb 2012 23:03:45 +0000
+Subject: Always behave as if cl_allowDownload was false
+
+Even in current versions of ioquake3, it is not at all obvious whether
+running untrusted bytecode is safe. In this older version, it's certainly
+not safe, so let's knock out auto-downloading functionality.
+
+Origin: vendor, Debian
+Forwarded: no, Debian-specific removal of functionality
+---
+ src/client/cl_main.c |    7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/client/cl_main.c b/src/client/cl_main.c
+index 7b562bd..8b96dd4 100644
+--- a/src/client/cl_main.c
++++ b/src/client/cl_main.c
+@@ -1430,7 +1430,10 @@ and determine if we need to download them
+ void CL_InitDownloads(void) {
+   char missingfiles[1024];
+ 
+-  if ( !cl_allowDownload->integer )
++  // Debian-specific patch to allow for longer-term support: auto-downloading
++  // is not safe in this version of the engine, so always behave as if
++  // cl_allowDownload had been disabled.
++  if ( 1 )
+   {
+     // autodownload is disabled on the client
+     // but it's possible that some referenced files on the server are missing
+@@ -1440,7 +1443,7 @@ void CL_InitDownloads(void) {
+       //   but at this point while joining the game we don't know wether we will successfully join or not
+       Com_Printf( "\nWARNING: You are missing some files referenced by the server:\n%s"
+                   "You might not be able to join the game\n"
+-                  "Go to the setting menu to turn on autodownload, or get the file elsewhere\n\n", missingfiles );
++                  "\n", missingfiles );
+     }
+   }
+   else if ( FS_ComparePaks( clc.downloadList, sizeof( clc.downloadList ) , qtrue ) ) {
diff --git a/debian/patches/series b/debian/patches/series
index 012065f..4548181 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@
 0013-CVE-2006-3324-fix-arbitrary-file-overwrite-on-client.patch
 0014-CVE-2006-3325-fix-arbitrary-cvar-overwriting.patch
 0015-CVE-2011-3012-CVE-2011-2764-backport-from-ioquake3-t.patch
+0016-Always-behave-as-if-cl_allowDownload-was-false.patch

-- 
team based FPS game - packaging

More information about the Pkg-games-commits mailing list