[ioquake3] 06/06: Merge branch 'debian/stretch' into debian/master

Tue Mar 14 11:15:03 UTC 2017

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to branch debian/master
in repository ioquake3.

commit 88c4ce41ce26e2af7933e9ce445c37de4bac74e7
Merge: 5087e21 65ca89c
Author: Simon McVittie <smcv at debian.org>
Date:   Tue Mar 14 11:14:03 2017 +0000

    Merge branch 'debian/stretch' into debian/master

 debian/changelog                                   | 24 +++++++
 ...mation-if-a-user-enables-auto-downloading.patch | 72 ++++++++++++++++++++
 ...-as-.dlls-and-don-t-load-user-config-file.patch | 76 ++++++++++++++++++++++
 .../Don-t-open-.pk3-files-as-OpenAL-drivers.patch  | 33 ++++++++++
 ...file-writing-extension-checks-from-OpenJK.patch | 50 ++++++++++++++
 debian/patches/series                              |  4 ++
 6 files changed, 259 insertions(+)

diff --cc debian/changelog
index 0d96e23,33c42fd..9367ce5

--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,10 -1,27 +1,34 @@@
 +ioquake3 (1.36+u20170227+dfsg1-1) UNRELEASED; urgency=medium
 +
 +  * debian/apparmor.d: allow more forms of device enumeration
 +  * New upstream snapshot
 +
 + -- Simon McVittie <smcv at debian.org>  Sat, 21 Jan 2017 20:17:57 +0000
 +
+ ioquake3 (1.36+u20161101+dfsg1-2) unstable; urgency=high
+ 
+   * d/gbp.conf: switch branch to debian/stretch for updates during freeze
+   * d/patches: Add patches from upstream fixing security vulnerabilities
+     - refuse to load potentially auto-downloadable .pk3 files as
+       ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers
+       (mitigation: auto-downloading is off by default, and in Debian
+       we do not dlopen libcurl anyway)
+     - refuse to load default configuration file names from a .pk3 file
+     - protect cl_renderer, cl_curllib, s_aldriver configuration variables so
+       game code cannot set them
+     - refuse to overwrite files other than *.txt with the dump console
+       command
+     - refuse to overwrite files other than *.cfg with the writeconfig
+       console command
+     (Closes: #857699)
+   * Add patch adapted from openarena to request confirmation before
+     enabling auto-downloading if the native-code Quake III Arena UI is
+     in use. Unfortunately this is not the case with quake3_46, but
+     I'm adding this patch in the hope that the wrapper script can
+     be fixed before the stretch release.
+ 
+  -- Simon McVittie <smcv at debian.org>  Tue, 14 Mar 2017 10:14:37 +0000
+ 
  ioquake3 (1.36+u20161101+dfsg1-1) unstable; urgency=medium
  
    * New upstream snapshot

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/ioquake3.git

