Bug#857699: ioquake3 has a security vulnerability

Simon McVittie smcv at debian.org
Tue Mar 14 12:18:27 UTC 2017


On Tue, 14 Mar 2017 at 08:30:36 +0000, Simon McVittie wrote:
> On Tue, 14 Mar 2017 at 04:59:15 +0100, Daniel Gibson wrote:
> > earlier today ioquake3 fixed a vulnerability that, as far as I understand,
> > could let malicious multiplayer servers execute code on connecting clients.
> > It affects all prior versions of ioquake3 (and I think also original Quake
> > 3).
> > Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/

Hi security team,
I would like to propose this debdiff for stable (assuming that testing it
later today goes as expected - I don't have access to a jessie system
that can run games right now).

The other change I made in unstable (putting the auto-downloading option
for Quake III Arena behind an "are you sure?" prompt) is not straightforward,
and only affects code without security support (quake3 but not openarena),
so I have omitted it from this version.

    S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proposed.diff
Type: text/x-diff
Size: 10971 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20170314/8cd8c71f/attachment.diff>


More information about the Pkg-games-devel mailing list