[iortcw] 06/17: Add patches to harden security of MP client

Simon McVittie smcv at debian.org
Sun Aug 16 19:35:12 UTC 2015 

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to branch master
in repository iortcw.

commit a9e2fa0008f19d6a11704f77587744e4ecca24ba
Author: Simon McVittie <smcv at debian.org>
Date:   Tue Jul 14 11:37:55 2015 +0100

    Add patches to harden security of MP client
---
 debian/changelog                                   |   5 +
 ...able-client-side-auto-download-by-default.patch |  24 +++++
 ...-methods-prevent-overwriting-DLLs-CVE-201.patch | 102 +++++++++++++++++++++
 debian/patches/series                              |   2 +
 4 files changed, 133 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8606d0b..9ca48b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,5 +12,10 @@ iortcw (1.42b+20150713+dfsg1-1) UNRELEASED; urgency=low
       and use system copies of those libraries instead:
       cURL, Freetype, libjpeg, libogg, OpenAL, libopus, SDL2, libvorbis, zlib
     - run in a window by default per Games Team policy
+    - disable auto-downloading by default since it is a security risk
+    - reinstate checks for executable file overwriting and remove code to
+      unpack arbitrary native code from (potentially auto-downloaded)
+      game mods, fixing vulnerabilities similar to CVE-2011-3012 but
+      breaking some mods as an unfortunate but unavoidable side-effect
 
  -- Simon McVittie <smcv at debian.org>  Tue, 17 Mar 2015 23:01:37 +0000
diff --git a/debian/patches/Disable-client-side-auto-download-by-default.patch b/debian/patches/Disable-client-side-auto-download-by-default.patch
new file mode 100644
index 0000000..fb9f1ca
--- /dev/null
+++ b/debian/patches/Disable-client-side-auto-download-by-default.patch
@@ -0,0 +1,24 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Mon, 23 Mar 2015 23:17:56 +0000
+Subject: Disable client-side auto-download by default
+
+This feature is a security risk: it downloads executable bytecode.
+The interpreter is sandboxed, but a reasonably determined attacker
+can probably break out.
+---
+ MP/code/client/cl_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MP/code/client/cl_main.c b/MP/code/client/cl_main.c
+index bba48a2..619d89b 100644
+--- a/MP/code/client/cl_main.c
++++ b/MP/code/client/cl_main.c
+@@ -4037,7 +4037,7 @@ void CL_Init( void ) {
+ 
+ 	cl_showMouseRate = Cvar_Get( "cl_showmouserate", "0", 0 );
+ 
+-	cl_allowDownload = Cvar_Get( "cl_allowDownload", "1", CVAR_ARCHIVE );
++	cl_allowDownload = Cvar_Get( "cl_allowDownload", "0", CVAR_ARCHIVE );
+ #ifdef USE_CURL_DLOPEN
+ 	cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE);
+ #endif
diff --git a/debian/patches/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch b/debian/patches/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
new file mode 100644
index 0000000..7b4998f
--- /dev/null
+++ b/debian/patches/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
@@ -0,0 +1,102 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Tue, 14 Jul 2015 11:19:39 +0100
+Subject: File access methods: prevent overwriting DLLs (CVE-2011-3012)
+
+This is a known feature regression: it prevents mod DLLs from being
+unpacked from PK3 files (FS_CL_ExtractFromPakFile), making it
+considerably harder to install mods that contain arbitrary native
+code (such as those designed for retail RTCW). The opposite
+change, re-introducing the vulnerability, was made in commit
+<https://code.google.com/p/iortcw/source/detail?r=133> in order
+to fix FS_CL_ExtractFromPakFile.
+
+However, the feature that regresses here cannot be supported without
+re-introducing Quake III engine vulnerability CVE-2011-3012, and
+breaking some mods seems like a lesser evil than letting
+auto-downloads execute arbitrary and potentially malicious native
+code, either via a direct unpack of native code or via QVM code
+being allowed to open and write a file with the platform's DLL
+extension.
+
+FS_CL_ExtractFromPakFile relies on the vulnerable behaviour and is
+useless without it, so stub that out too.
+
+Add the same checks in SP file-copying code, for completeness
+(although in practice SP should never execute code not provided by
+either the retail RTCW binaries, iortcw or a deliberately-installed
+mod, because auto-downloading from a server is not applicable there).
+---
+ MP/code/qcommon/files.c | 12 ++++++++----
+ SP/code/qcommon/files.c |  8 ++++++++
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/MP/code/qcommon/files.c b/MP/code/qcommon/files.c
+index 8e55976..39a596c 100644
+--- a/MP/code/qcommon/files.c
++++ b/MP/code/qcommon/files.c
+@@ -681,7 +681,9 @@ fileHandle_t FS_SV_FOpenFileWrite( const char *filename ) {
+ 		Com_Printf( "FS_SV_FOpenFileWrite: %s\n", ospath );
+ 	}
+ 
+-//	FS_CheckFilenameIsMutable( ospath, __func__ );
++#ifndef I_WANT_CVE_2011_3012
++	FS_CheckFilenameIsMutable( ospath, __func__ );
++#endif
+ 
+ 	if( FS_CreatePath( ospath ) ) {
+ 		return 0;
+@@ -882,7 +884,9 @@ fileHandle_t FS_FOpenFileWrite( const char *filename ) {
+ 		Com_Printf( "FS_FOpenFileWrite: %s\n", ospath );
+ 	}
+ 
+-//	FS_CheckFilenameIsMutable( ospath, __func__ );
++#ifndef I_WANT_CVE_2011_3012
++	FS_CheckFilenameIsMutable( ospath, __func__ );
++#endif
+ 
+ 	if ( FS_CreatePath( ospath ) ) {
+ 		return 0;
+@@ -1526,7 +1530,7 @@ int FS_FindVM(void **startSearch, char *found, int foundlen, const char *name, q
+                                 }
+ 		        }
+ 
+-#ifndef DEDICATED
++#if defined( I_WANT_CVE_2011_3012 ) && !defined( DEDICATED )
+ 			// extract the dlls from the mp_bin.pk3 so
+ 			// that they can be referenced
+ 			if (Q_stricmp(name, "qagame"))
+@@ -1561,7 +1565,7 @@ int FS_FindVM(void **startSearch, char *found, int foundlen, const char *name, q
+ 
+ // TTimo
+ // relevant to client only
+-#if !defined( DEDICATED )
++#if defined( I_WANT_CVE_2011_3012 ) && !defined( DEDICATED )
+ /*
+ ==================
+ FS_CL_ExtractFromPakFile
+diff --git a/SP/code/qcommon/files.c b/SP/code/qcommon/files.c
+index 02725a9..d3203ba 100644
+--- a/SP/code/qcommon/files.c
++++ b/SP/code/qcommon/files.c
+@@ -581,6 +581,10 @@ static void FS_CopyFile( char *fromOSPath, char *toOSPath ) {
+ 		return;
+ 	}
+ 
++#ifndef I_WANT_CVE_2011_3012
++	FS_CheckFilenameIsMutable( toOSPath, __func__ );
++#endif
++
+ 	f = Sys_FOpen( fromOSPath, "rb" );
+ 	if ( !f ) {
+ 		return;
+@@ -630,6 +634,10 @@ void FS_CopyFileOS( char *from, char *to ) {
+ 		return;
+ 	}
+ 
++#ifndef I_WANT_CVE_2011_3012
++	FS_CheckFilenameIsMutable( toOSPath, __func__ );
++#endif
++
+ 	f = Sys_FOpen( fromOSPath, "rb" );
+ 	if ( !f ) {
+ 		return;
diff --git a/debian/patches/series b/debian/patches/series
index a06a8f1..ced7346 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
+Disable-client-side-auto-download-by-default.patch
+File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
 Default-to-non-fullscreen.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/iortcw.git

More information about the Pkg-games-commits mailing list