Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy
Simon McVittie
smcv at debian.org
Tue Sep 4 10:00:17 UTC 2012
Package: ioquake3
Version: 1.36+svn2287-1
Severity: important
Tags: patch
X-Debbugs-Cc: debian-release at lists.debian.org
X-Debbugs-Cc: debian-devel-games at lists.debian.org
I am considering removing the cl_allowDownload option from the ioquake3
client, effectively forcing its value to "disabled" (further details below).
The effect of this option is:
* if disabled (or patched out), joining "modded" game servers will require
users to download and install any "mods" active on that server manually
* if enabled, "mods" are automatically downloaded; if certain security flaws
exist in ioquake3, a malicious server operator or a man-in-the-middle
could exercise those flaws (worst-case: arbitrary code execution) by
encouraging users to join a game server
This is basically a trade-off between convenience and mitigating security
vulnerabilities. I say "mitigating" because a user could always install
a malicious mod to ~/.q3a or ~/.openarena manually, with the same result
as if they had auto-downloaded it.
I am not aware of any current vulnerabilities that could be exploited in
this way, but see below for a list of past vulnerabilities that would have
been mitigated by this change.
Games team: what are your thoughts about this? Should we give users the
freedom to shoot themselves in the foot, or patch this feature out?
Should we reinstate the feature in unstable after wheezy releases, or
leave it out permanently?
Release team: would you consider a freeze exception for this? I attach
draft patches (I'd replace nnnnnn with this bug number and UNRELEASED
with unstable, obviously). Only the ioquake3 one is strictly necessary,
but it would leave a useless and misleading menu option in openarena, so
I would prefer to patch openarena too.
The next "obvious" revision numbers (ioquake3 1.36+svn2287-2,
openarena 0.8.8-6) are already in use in experimental, so if I upload
these, I'm going to version them like a stable update. Let me know if you
would prefer me to use -X+wheezyY for the revision numbers rather
than -X+deb70+Y, or something else entirely.
S
----
Further explanation:
The ioquake3 engine is used in openarena (main/games) and quake3
(contrib/games). When used as a network client, it has the option to
auto-download required data from the game server, or (as one of the
ioquake3 enhancements to the Quake III Arena engine) from a HTTP or FTP
server nominated by the server administrator. By design, auto-downloaded
packages are not signed or authenticated (server administrators can add
arbitrary "mods").
As well as "safe" data (maps, 3D models etc.), auto-downloaded packages
can include executable bytecode (cgame.qvm, ui.qvm), which will be run by
the client using a JIT or interpreter. The JIT/interpreter acts as a simple
sandbox, and known vulnerabilities in it have been treated as security
issues and fixed. To the best of my knowledge, there has not been a
systematic audit.
Unfortunately, it is not currently possible to auto-download "safe" files
(maps, models, textures, music etc.) but reject executable bytecode.
I hope to add that feature in time for Debian 8, and make it the default.
During squeeze updates to tremulous (which uses a fork of ioquake3), I
patched out auto-downloading support. I am now considering doing the
same to ioquake3 itself before wheezy is released: this would mean that
any vulnerabilities discovered in the bytecode JIT/interpreter would
not affect wheezy.
However, this would remove an apparently-intentional feature, making it
harder for Debian users to join "modded" servers. In Quake III Arena
(quake3, contrib/games) enabling client-side auto-downloading requires
console commands; in OpenArena (openarena, main/games) the feature
can be enabled through the GUI. In both cases it is off by default.
Server administrators and gaming communities frequently encourage users
to switch on this feature, apparently without considering its security
implications.
Here are some past Quake III Arena CVEs and whether this change would have
mitigated them:
affects impact mitigated by this?
CVE-2001-1289 server DoS no
CVE-2005-0430 server DoS no
CVE-2005-0983 client DoS no
CVE-2006-2082 server info disclos no
CVE-2006-2236 client code exec no
CVE-2007-2785 client code exec yes
CVE-2006-3324 client file write yes
CVE-2006-3325 client code exec? partially?
CVE-2006-3400 client code exec? no
CVE-2006-3401 client code exec yes?
CVE-2011-1412 client code exec no
CVE-2011-2764 client code exec yes
CVE-2012-3345 both file write no
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ioquake3 depends on:
ii libc6 2.13-35
ii libcurl3-gnutls 7.27.0-1
ii libgl1-mesa-glx [libgl1] 8.0.4-2
ii libjpeg8 8d-1
ii libogg0 1.3.0-4
ii libopenal1 1:1.14-4
ii libsdl1.2debian 1.2.15-5
ii libspeex1 1.2~rc1-6
ii libspeexdsp1 1.2~rc1-6
ii libvorbis0a 1.3.2-1.3
ii libvorbisfile3 1.3.2-1.3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages ioquake3 recommends:
ii x11-utils 7.7~1
ii zenity 3.4.0-2
ioquake3 suggests no packages.
Versions of packages ioquake3 is related to:
ii libgl1-mesa-dri 8.0.4-2
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ioquake3.diff
Type: text/x-diff
Size: 3973 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120904/57c4a873/attachment-0002.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openarena.diff
Type: text/x-diff
Size: 9249 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120904/57c4a873/attachment-0003.diff>
More information about the Pkg-games-devel
mailing list