[iortcw] 02/04: d/patches: Add patches from upstream fixing security vulnerabilities
Simon McVittie
smcv at debian.org
Tue Mar 14 10:21:28 UTC 2017
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch debian/stretch
in repository iortcw.
commit 7af6ec5f714fa7f76409a3f3bda670aaac79c108
Author: Simon McVittie <smcv at debian.org>
Date: Tue Mar 14 09:13:02 2017 +0000
d/patches: Add patches from upstream fixing security vulnerabilities
- refuse to load potentially auto-downloadable .pk3 files as
iortcw renderers, iortcw game code, libcurl, or OpenAL drivers
(mitigation: auto-downloading is off by default, and in Debian
we do not dlopen libcurl anyway)
- refuse to load default configuration file names from a .pk3 file
- protect cl_renderer, cl_curllib, s_aldriver configuration variables so
game code cannot set them
- refuse to overwrite files other than *.txt with the dump console
command
- refuse to overwrite files other than *.cfg with the writeconfig
console command
---
debian/changelog | 12 ++
...able-client-side-auto-download-by-default.patch | 4 +-
...-methods-prevent-overwriting-DLLs-CVE-201.patch | 8 +-
...upport-for-downloading-executable-updates.patch | 2 +-
...pk3s-as-.dlls-and-don-t-load-user-config-.patch | 142 +++++++++++++++++++++
...l-Don-t-open-.pk3-files-as-OpenAL-drivers.patch | 57 +++++++++
...-Merge-some-file-writing-extension-checks.patch | 81 ++++++++++++
debian/patches/series | 3 +
8 files changed, 302 insertions(+), 7 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 7b45668..4683fcd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,18 @@
iortcw (1.50a+dfsg1-3) UNRELEASED; urgency=medium
* d/gbp.conf: switch branch to debian/stretch for updates during freeze
+ * d/patches: Add patches from upstream fixing security vulnerabilities
+ - refuse to load potentially auto-downloadable .pk3 files as
+ iortcw renderers, iortcw game code, libcurl, or OpenAL drivers
+ (mitigation: auto-downloading is off by default, and in Debian
+ we do not dlopen libcurl anyway)
+ - refuse to load default configuration file names from a .pk3 file
+ - protect cl_renderer, cl_curllib, s_aldriver configuration variables so
+ game code cannot set them
+ - refuse to overwrite files other than *.txt with the dump console
+ command
+ - refuse to overwrite files other than *.cfg with the writeconfig
+ console command
-- Simon McVittie <smcv at debian.org> Tue, 14 Mar 2017 09:09:05 +0000
diff --git a/debian/patches/debian/Disable-client-side-auto-download-by-default.patch b/debian/patches/debian/Disable-client-side-auto-download-by-default.patch
index 8f75a24..0ce846a 100644
--- a/debian/patches/debian/Disable-client-side-auto-download-by-default.patch
+++ b/debian/patches/debian/Disable-client-side-auto-download-by-default.patch
@@ -13,7 +13,7 @@ anyway.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MP/code/client/cl_main.c b/MP/code/client/cl_main.c
-index bbdd4f4..582d905 100644
+index 5023874..28a2f5a 100644
--- a/MP/code/client/cl_main.c
+++ b/MP/code/client/cl_main.c
@@ -4046,7 +4046,7 @@ void CL_Init( void ) {
@@ -23,5 +23,5 @@ index bbdd4f4..582d905 100644
- cl_allowDownload = Cvar_Get( "cl_allowDownload", "1", CVAR_ARCHIVE );
+ cl_allowDownload = Cvar_Get( "cl_allowDownload", "0", CVAR_ARCHIVE );
#ifdef USE_CURL_DLOPEN
- cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE);
+ cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE | CVAR_PROTECTED);
#endif
diff --git a/debian/patches/debian/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch b/debian/patches/debian/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
index ae028a3..bab95ad 100644
--- a/debian/patches/debian/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
+++ b/debian/patches/debian/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
@@ -33,7 +33,7 @@ Upstream rejected this change, but we want it in Debian anyway.
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/MP/code/qcommon/files.c b/MP/code/qcommon/files.c
-index 603550e..0d71189 100644
+index 3ade653..e303a58 100644
--- a/MP/code/qcommon/files.c
+++ b/MP/code/qcommon/files.c
@@ -687,7 +687,9 @@ fileHandle_t FS_SV_FOpenFileWrite( const char *filename ) {
@@ -58,7 +58,7 @@ index 603550e..0d71189 100644
if ( FS_CreatePath( ospath ) ) {
return 0;
-@@ -1548,7 +1552,7 @@ int FS_FindVM(void **startSearch, char *found, int foundlen, const char *name, q
+@@ -1554,7 +1558,7 @@ int FS_FindVM(void **startSearch, char *found, int foundlen, const char *name, q
}
}
@@ -67,7 +67,7 @@ index 603550e..0d71189 100644
// extract the dlls from the mp_bin.pk3 so
// that they can be referenced
if (Q_stricmp(name, "qagame"))
-@@ -1583,7 +1587,7 @@ int FS_FindVM(void **startSearch, char *found, int foundlen, const char *name, q
+@@ -1589,7 +1593,7 @@ int FS_FindVM(void **startSearch, char *found, int foundlen, const char *name, q
// TTimo
// relevant to client only
@@ -77,7 +77,7 @@ index 603550e..0d71189 100644
==================
FS_CL_ExtractFromPakFile
diff --git a/SP/code/qcommon/files.c b/SP/code/qcommon/files.c
-index 340b105..2f42bff 100644
+index 1215cfe..6d584ef 100644
--- a/SP/code/qcommon/files.c
+++ b/SP/code/qcommon/files.c
@@ -175,6 +175,8 @@ or configs will never get loaded from disk!
diff --git a/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch b/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch
index d22bba4..a76ef3f 100644
--- a/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch
+++ b/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch
@@ -14,7 +14,7 @@ in Debian anyway.
3 files changed, 2 insertions(+), 189 deletions(-)
diff --git a/MP/code/client/cl_main.c b/MP/code/client/cl_main.c
-index 582d905..610a673 100644
+index 28a2f5a..e5298b6 100644
--- a/MP/code/client/cl_main.c
+++ b/MP/code/client/cl_main.c
@@ -2199,24 +2199,7 @@ void CL_DownloadsComplete( void ) {
diff --git a/debian/patches/security/All-Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-.patch b/debian/patches/security/All-Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-.patch
new file mode 100644
index 0000000..0c66bb7
--- /dev/null
+++ b/debian/patches/security/All-Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-.patch
@@ -0,0 +1,142 @@
+From: MAN-AT-ARMS <M4N4T4RMS at gmail.com>
+Date: Mon, 13 Mar 2017 19:37:39 -0400
+Subject: All: Don't load .pk3s as .dlls,
+ and don't load user config files from .pk3s
+
+Origin: upstream, 1.51, commit:b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
+Bug-Debian: https://bugs.debian.org/857699
+---
+ MP/code/client/cl_main.c | 4 ++--
+ MP/code/qcommon/files.c | 6 ++++++
+ MP/code/sys/sys_main.c | 7 +++++++
+ SP/code/client/cl_main.c | 4 ++--
+ SP/code/qcommon/files.c | 6 ++++++
+ SP/code/sys/sys_main.c | 7 +++++++
+ 6 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/MP/code/client/cl_main.c b/MP/code/client/cl_main.c
+index bbdd4f4..5023874 100644
+--- a/MP/code/client/cl_main.c
++++ b/MP/code/client/cl_main.c
+@@ -3688,7 +3688,7 @@ void CL_InitRef( void ) {
+ Com_Printf( "----- Initializing Renderer ----\n" );
+
+ #ifdef USE_RENDERER_DLOPEN
+- cl_renderer = Cvar_Get("cl_renderer", "opengl1", CVAR_ARCHIVE | CVAR_LATCH);
++ cl_renderer = Cvar_Get("cl_renderer", "opengl1", CVAR_ARCHIVE | CVAR_LATCH | CVAR_PROTECTED);
+
+ Com_sprintf(dllName, sizeof(dllName), "renderer_mp_%s_" ARCH_STRING DLL_EXT, cl_renderer->string);
+
+@@ -4048,7 +4048,7 @@ void CL_Init( void ) {
+
+ cl_allowDownload = Cvar_Get( "cl_allowDownload", "1", CVAR_ARCHIVE );
+ #ifdef USE_CURL_DLOPEN
+- cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE);
++ cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE | CVAR_PROTECTED);
+ #endif
+
+ // init autoswitch so the ui will have it correctly even
+diff --git a/MP/code/qcommon/files.c b/MP/code/qcommon/files.c
+index 603550e..3ade653 100644
+--- a/MP/code/qcommon/files.c
++++ b/MP/code/qcommon/files.c
+@@ -1424,12 +1424,18 @@ long FS_FOpenFileRead(const char *filename, fileHandle_t *file, qboolean uniqueF
+ {
+ searchpath_t *search;
+ long len;
++ qboolean isLocalConfig;
+
+ if(!fs_searchpaths)
+ Com_Error(ERR_FATAL, "Filesystem call made without initialization");
+
++ isLocalConfig = !strcmp(filename, "autoexec.cfg") || !strcmp(filename, Q3CONFIG_CFG);
+ for(search = fs_searchpaths; search; search = search->next)
+ {
++ // autoexec.cfg and wolfconfig_mp.cfg can only be loaded outside of pk3 files.
++ if (isLocalConfig && search->pack)
++ continue;
++
+ len = FS_FOpenFileReadDir(filename, search, file, uniqueFILE, qfalse);
+
+ if(file == NULL)
+diff --git a/MP/code/sys/sys_main.c b/MP/code/sys/sys_main.c
+index b4181da..f3dc2e9 100644
+--- a/MP/code/sys/sys_main.c
++++ b/MP/code/sys/sys_main.c
+@@ -499,6 +499,13 @@ from executable path, then fs_basepath.
+ void *Sys_LoadDll(const char *name, qboolean useSystemLib)
+ {
+ void *dllhandle;
++
++ // Don't load any DLLs that end with the pk3 extension
++ if (COM_CompareExtension(name, ".pk3"))
++ {
++ Com_Printf("Rejecting DLL named \"%s\"", name);
++ return NULL;
++ }
+
+ if(useSystemLib)
+ Com_Printf("Trying to load \"%s\"...\n", name);
+diff --git a/SP/code/client/cl_main.c b/SP/code/client/cl_main.c
+index d5f4a44..6306235 100644
+--- a/SP/code/client/cl_main.c
++++ b/SP/code/client/cl_main.c
+@@ -3367,7 +3367,7 @@ void CL_InitRef( void ) {
+ Com_Printf( "----- Initializing Renderer ----\n" );
+
+ #ifdef USE_RENDERER_DLOPEN
+- cl_renderer = Cvar_Get("cl_renderer", "opengl1", CVAR_ARCHIVE | CVAR_LATCH);
++ cl_renderer = Cvar_Get("cl_renderer", "opengl1", CVAR_ARCHIVE | CVAR_LATCH | CVAR_PROTECTED);
+
+ Com_sprintf(dllName, sizeof(dllName), "renderer_sp_%s_" ARCH_STRING DLL_EXT, cl_renderer->string);
+
+@@ -3712,7 +3712,7 @@ void CL_Init( void ) {
+
+ cl_allowDownload = Cvar_Get( "cl_allowDownload", "0", CVAR_ARCHIVE );
+ #ifdef USE_CURL_DLOPEN
+- cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE);
++ cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE | CVAR_PROTECTED);
+ #endif
+
+ // init autoswitch so the ui will have it correctly even
+diff --git a/SP/code/qcommon/files.c b/SP/code/qcommon/files.c
+index 340b105..1215cfe 100644
+--- a/SP/code/qcommon/files.c
++++ b/SP/code/qcommon/files.c
+@@ -1591,12 +1591,18 @@ long FS_FOpenFileRead(const char *filename, fileHandle_t *file, qboolean uniqueF
+ {
+ searchpath_t *search;
+ long len;
++ qboolean isLocalConfig;
+
+ if(!fs_searchpaths)
+ Com_Error(ERR_FATAL, "Filesystem call made without initialization");
+
++ isLocalConfig = !strcmp(filename, "autoexec.cfg") || !strcmp(filename, Q3CONFIG_CFG);
+ for(search = fs_searchpaths; search; search = search->next)
+ {
++ // autoexec.cfg and wolfconfig.cfg can only be loaded outside of pk3 files.
++ if (isLocalConfig && search->pack)
++ continue;
++
+ len = FS_FOpenFileReadDir(filename, search, file, uniqueFILE, qfalse);
+
+ if(file == NULL)
+diff --git a/SP/code/sys/sys_main.c b/SP/code/sys/sys_main.c
+index d24f402..e591d98 100644
+--- a/SP/code/sys/sys_main.c
++++ b/SP/code/sys/sys_main.c
+@@ -499,6 +499,13 @@ from executable path, then fs_basepath.
+ void *Sys_LoadDll(const char *name, qboolean useSystemLib)
+ {
+ void *dllhandle;
++
++ // Don't load any DLLs that end with the pk3 extension
++ if (COM_CompareExtension(name, ".pk3"))
++ {
++ Com_Printf("Rejecting DLL named \"%s\"", name);
++ return NULL;
++ }
+
+ if(useSystemLib)
+ Com_Printf("Trying to load \"%s\"...\n", name);
diff --git a/debian/patches/security/All-Don-t-open-.pk3-files-as-OpenAL-drivers.patch b/debian/patches/security/All-Don-t-open-.pk3-files-as-OpenAL-drivers.patch
new file mode 100644
index 0000000..fc3437f
--- /dev/null
+++ b/debian/patches/security/All-Don-t-open-.pk3-files-as-OpenAL-drivers.patch
@@ -0,0 +1,57 @@
+From: MAN-AT-ARMS <M4N4T4RMS at gmail.com>
+Date: Tue, 14 Mar 2017 03:25:17 -0400
+Subject: All: Don't open .pk3 files as OpenAL drivers
+
+Origin: upstream, 1.51, commit:b248763e4878ef12d5835ece6600be8334f67da1
+Bug-Debian: https://bugs.debian.org/857699
+---
+ MP/code/client/snd_openal.c | 8 +++++++-
+ SP/code/client/snd_openal.c | 8 +++++++-
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/MP/code/client/snd_openal.c b/MP/code/client/snd_openal.c
+index 900dc5e..91a61bc 100644
+--- a/MP/code/client/snd_openal.c
++++ b/MP/code/client/snd_openal.c
+@@ -2618,11 +2618,17 @@ qboolean S_AL_Init( soundInterface_t *si )
+ s_alRolloff = Cvar_Get( "s_alRolloff", "2", CVAR_CHEAT);
+ s_alGraceDistance = Cvar_Get("s_alGraceDistance", "512", CVAR_CHEAT);
+
+- s_alDriver = Cvar_Get( "s_alDriver", ALDRIVER_DEFAULT, CVAR_ARCHIVE | CVAR_LATCH );
++ s_alDriver = Cvar_Get( "s_alDriver", ALDRIVER_DEFAULT, CVAR_ARCHIVE | CVAR_LATCH | CVAR_PROTECTED );
+
+ s_alInputDevice = Cvar_Get( "s_alInputDevice", "", CVAR_ARCHIVE | CVAR_LATCH );
+ s_alDevice = Cvar_Get("s_alDevice", "", CVAR_ARCHIVE | CVAR_LATCH);
+
++ if ( COM_CompareExtension( s_alDriver->string, ".pk3" ) )
++ {
++ Com_Printf( "Rejecting DLL named \"%s\"", s_alDriver->string );
++ return qfalse;
++ }
++
+ // Load QAL
+ if( !QAL_Init( s_alDriver->string ) )
+ {
+diff --git a/SP/code/client/snd_openal.c b/SP/code/client/snd_openal.c
+index 27ea5ed..6e1b34f 100644
+--- a/SP/code/client/snd_openal.c
++++ b/SP/code/client/snd_openal.c
+@@ -2677,11 +2677,17 @@ qboolean S_AL_Init( soundInterface_t *si )
+ s_alGraceDistance = Cvar_Get("s_alGraceDistance", "512", CVAR_ARCHIVE);
+ s_alTalkAnims = Cvar_Get("s_alTalkAnims", "160", CVAR_ARCHIVE);
+
+- s_alDriver = Cvar_Get( "s_alDriver", ALDRIVER_DEFAULT, CVAR_ARCHIVE | CVAR_LATCH );
++ s_alDriver = Cvar_Get( "s_alDriver", ALDRIVER_DEFAULT, CVAR_ARCHIVE | CVAR_LATCH | CVAR_PROTECTED );
+
+ s_alInputDevice = Cvar_Get( "s_alInputDevice", "", CVAR_ARCHIVE | CVAR_LATCH );
+ s_alDevice = Cvar_Get("s_alDevice", "", CVAR_ARCHIVE | CVAR_LATCH);
+
++ if ( COM_CompareExtension( s_alDriver->string, ".pk3" ) )
++ {
++ Com_Printf( "Rejecting DLL named \"%s\"", s_alDriver->string );
++ return qfalse;
++ }
++
+ // Load QAL
+ if( !QAL_Init( s_alDriver->string ) )
+ {
diff --git a/debian/patches/security/All-Merge-some-file-writing-extension-checks.patch b/debian/patches/security/All-Merge-some-file-writing-extension-checks.patch
new file mode 100644
index 0000000..97c1477
--- /dev/null
+++ b/debian/patches/security/All-Merge-some-file-writing-extension-checks.patch
@@ -0,0 +1,81 @@
+From: MAN-AT-ARMS <M4N4T4RMS at gmail.com>
+Date: Tue, 14 Mar 2017 03:26:09 -0400
+Subject: All: Merge some file writing extension checks
+
+Origin: upstream, 1.51, commit:11a83410153756ae350a82ed41b08d128ff7f998
+Bug-Debian: https://bugs.debian.org/857699
+---
+ MP/code/client/cl_console.c | 6 ++++++
+ MP/code/qcommon/common.c | 6 ++++++
+ SP/code/client/cl_console.c | 6 ++++++
+ SP/code/qcommon/common.c | 6 ++++++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/MP/code/client/cl_console.c b/MP/code/client/cl_console.c
+index 795fb11..f4eecda 100644
+--- a/MP/code/client/cl_console.c
++++ b/MP/code/client/cl_console.c
+@@ -227,6 +227,12 @@ void Con_Dump_f( void ) {
+ Q_strncpyz( filename, Cmd_Argv( 1 ), sizeof( filename ) );
+ COM_DefaultExtension( filename, sizeof( filename ), ".txt" );
+
++ if (!COM_CompareExtension(filename, ".txt"))
++ {
++ Com_Printf("Con_Dump_f: Only the \".txt\" extension is supported by this command!\n");
++ return;
++ }
++
+ f = FS_FOpenFileWrite( filename );
+ if ( !f ) {
+ Com_Printf ("ERROR: couldn't open %s.\n", filename);
+diff --git a/MP/code/qcommon/common.c b/MP/code/qcommon/common.c
+index 76547f2..649890e 100644
+--- a/MP/code/qcommon/common.c
++++ b/MP/code/qcommon/common.c
+@@ -3058,6 +3058,12 @@ void Com_WriteConfig_f( void ) {
+ return;
+ }
+
++ if (!COM_CompareExtension(filename, ".cfg"))
++ {
++ Com_Printf("Com_WriteConfig_f: Only the \".cfg\" extension is supported by this command!\n");
++ return;
++ }
++
+ Q_strncpyz( filename, Cmd_Argv( 1 ), sizeof( filename ) );
+ COM_DefaultExtension( filename, sizeof( filename ), ".cfg" );
+ Com_Printf( "Writing %s.\n", filename );
+diff --git a/SP/code/client/cl_console.c b/SP/code/client/cl_console.c
+index ebcb9d7..16739cf 100644
+--- a/SP/code/client/cl_console.c
++++ b/SP/code/client/cl_console.c
+@@ -237,6 +237,12 @@ void Con_Dump_f( void ) {
+ Q_strncpyz( filename, Cmd_Argv( 1 ), sizeof( filename ) );
+ COM_DefaultExtension( filename, sizeof( filename ), ".txt" );
+
++ if (!COM_CompareExtension(filename, ".txt"))
++ {
++ Com_Printf("Con_Dump_f: Only the \".txt\" extension is supported by this command!\n");
++ return;
++ }
++
+ f = FS_FOpenFileWrite( filename );
+ if ( !f ) {
+ Com_Printf ("ERROR: couldn't open %s.\n", filename);
+diff --git a/SP/code/qcommon/common.c b/SP/code/qcommon/common.c
+index 20f871d..5a8a4f7 100644
+--- a/SP/code/qcommon/common.c
++++ b/SP/code/qcommon/common.c
+@@ -2601,6 +2601,12 @@ void Com_WriteConfig_f( void ) {
+ return;
+ }
+
++ if (!COM_CompareExtension(filename, ".cfg"))
++ {
++ Com_Printf("Com_WriteConfig_f: Only the \".cfg\" extension is supported by this command!\n");
++ return;
++ }
++
+ Q_strncpyz( filename, Cmd_Argv( 1 ), sizeof( filename ) );
+ COM_DefaultExtension( filename, sizeof( filename ), ".cfg" );
+ Com_Printf( "Writing %s.\n", filename );
diff --git a/debian/patches/series b/debian/patches/series
index 02ee5e0..fdea571 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,6 @@
+security/All-Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-.patch
+security/All-Don-t-open-.pk3-files-as-OpenAL-drivers.patch
+security/All-Merge-some-file-writing-extension-checks.patch
Don-t-require-.git-index-to-exist.patch
debian/Disable-client-side-auto-download-by-default.patch
debian/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/iortcw.git
More information about the Pkg-games-commits
mailing list