Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

To: debian-devel-games@lists.debian.org
Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy
From: Darren Salt <listspam@moreofthesa.me.uk>
Date: Tue, 04 Sep 2012 14:44:48 +0100
Message-id: <52CF61E9B0%listspam@moreofthesa.me.uk>
Mail-followup-to: debian-devel-games@lists.debian.org
In-reply-to: <20120904100017.GA13676@reptile.pseudorandom.co.uk>
References: <20120904100017.GA13676@reptile.pseudorandom.co.uk>

I demand that Simon McVittie may or may not have written...

[snip]
> I am considering removing the cl_allowDownload option from the ioquake3
> client, effectively forcing its value to "disabled" (further details
> below).
[snip]
> Games team: what are your thoughts about this? Should we give users the
> freedom to shoot themselves in the foot, or patch this feature out? Should
> we reinstate the feature in unstable after wheezy releases, or leave it out
> permanently?

You could disable by default and warn if it's enabled.

[snip]
> During squeeze updates to tremulous (which uses a fork of ioquake3), I
> patched out auto-downloading support. I am now considering doing the same
> to ioquake3 itself before wheezy is released: this would mean that any
> vulnerabilities discovered in the bytecode JIT/interpreter would not affect
> wheezy.

There was a time when Unvanquished would use native libraries which had been
downloaded as part of PK3 archive files, LLVM bytecode or QVM files. In a
security context, the first two are problematical regarding possible
malicious content, and the third had a lot of possible sandbox overflows
(sandbox-internal addresses and lengths weren't checked).

Now, Unvanquished no longer unpacks native code from PK3 files; LLVM support
bitrotted and is not compilable at present (and there are no plans to fix
it); and I added some parameter checking on the trap calls from QVM code – if
you want to have a look, the checking function is named VM_CheckBlock.

I'd not be surprised if some of this is applicable to Tremulous, at least.
Beyond that, I don't know.

https://github.com/Unvanquished/Unvanquished – by all means, look at and port
security fixes if needed.

> However, this would remove an apparently-intentional feature, making it
> harder for Debian users to join "modded" servers. In Quake III Arena
> (quake3, contrib/games) enabling client-side auto-downloading requires
> console commands; in OpenArena (openarena, main/games) the feature can be
> enabled through the GUI. In both cases it is off by default. Server
> administrators and gaming communities frequently encourage users to switch
> on this feature, apparently without considering its security implications.

Then, as mentioned above, warn.

"You have enabled automatic downloading of maps, VM code and other resources.
While it is expected that most providers of such content are reputable, some
may provide malicious code which could compromise your computer via as yet
unknown security holes in this game.

You enable this at your own risk."

[snip]
-- 
|  _  | Darren Salt, using Debian GNU/Linux (and Android)
| ( ) |
|  X  | ASCII Ribbon campaign against HTML e-mail
| / \ | http://www.asciiribbon.org/

Unsuitable media, 0:1

Reply to:

References:
- Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy
Next by Date: Re: Best practices for OpenGL ES
Previous by thread: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy
Next by thread: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy
Index(es):
- Date
- Thread