Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy
Stefan Potyra
sistpoty at ubuntu.com
Tue Sep 4 19:03:48 UTC 2012
Hi,
first off, big thanks to everybody involved in maintaining ioquake. You've
done a great job!
On Tue, Sep 04, 2012 at 03:42:21PM +0200, Markus Koschany wrote:
> In practice this would force players to download custom maps and even
> new versions of base maps manually from more or less trustworthy servers.
*nod*. I doubt it'll add much to security, as people will manually dl maps from
possibly untrusted servers by-hand then.
Also I think it must be almost a year that I last played on the line, custom
maps (and mods) were still quite widespread. Of course I may be biased, since I
prefer servers with the instagib mod ;).
> Please consider a second alternative:
>
> * Automatic downloading is disabled on the first start thus OpenArena is
> secure by default.
> * You could also move the menu option for auto downloading to the
> bottom and improve the description. "Warning: Enabling of auto
> downloading *could* lead to security implications. Worst case:
> Execution of arbitrary code. Please visit <link to the Debian Wiki>
> and carefully read about the alternatives *before* you enable this option.
>
*nod*.
Maybe there's another measure to mitigate against some effects of malicious
downloads: Can access of ioquake3 (and games using it) be restricted
somehow? (apparmor or selinux comes to my mind, but I must admit that I don't
have much clue with that).
Cheers,
Stefan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120904/c2d83e5e/attachment-0001.pgp>
More information about the Pkg-games-devel
mailing list