Bug#857699: ioquake3 has a security vulnerability
Moritz Muehlenhoff
jmm at inutil.org
Tue Mar 14 13:35:04 UTC 2017
On Tue, Mar 14, 2017 at 12:18:27PM +0000, Simon McVittie wrote:
> On Tue, 14 Mar 2017 at 08:30:36 +0000, Simon McVittie wrote:
> > On Tue, 14 Mar 2017 at 04:59:15 +0100, Daniel Gibson wrote:
> > > earlier today ioquake3 fixed a vulnerability that, as far as I understand,
> > > could let malicious multiplayer servers execute code on connecting clients.
> > > It affects all prior versions of ioquake3 (and I think also original Quake
> > > 3).
> > > Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
>
> Hi security team,
> I would like to propose this debdiff for stable (assuming that testing it
> later today goes as expected - I don't have access to a jessie system
> that can run games right now).
If you can't easily obtain access to a jessie system, I can run the tests
myself (they'd be limited to openarena, though).
> The other change I made in unstable (putting the auto-downloading option
> for Quake III Arena behind an "are you sure?" prompt) is not straightforward,
> and only affects code without security support (quake3 but not openarena),
> so I have omitted it from this version.
Makes sense, please upload.
Remember that ioquake3 is new in stable-security, so needs to be built with
"-sa".
Cheers,
Moritz
More information about the Pkg-games-devel
mailing list