Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)

[Simon McVittie <smcv@debian.org>]

On 18/03/12 15:58, Adam D. Barratt wrote:
> On Thu, 2012-03-08 at 14:12 +0000, Simon McVittie wrote:
>>   * As a precaution, disable auto-downloading
> 
> Specifically, this not only disables auto-downloading but prevents users
> from turning it back on should they so wish.  I assume the logic here is
> that there may still be security issues lurking which involve untrusted
> content and just haven't been found yet?

That, but more so: auto-downloading is known (or at least strongly
suspected) to be unsafe. Auto-downloaded PK3 files can contain
executable bytecode to be run by a JIT compiler or interpreter, and the
sandboxing used in Quake III Arena (and hence Tremulous and early
ioquake3 versions) is rather lacking - it seems to have been designed
for robustness against coding mistakes, but not against malicious bytecode.

The version of ioquake3 that we ship is believed to correct this, but I
wouldn't be happy about backporting 6 years' worth of interpreter/JIT
improvements in a security update: I'd have to replace the whole virtual
machine implementation (JITs for i386, amd64, powerpc and sparc, and a
generic interpreter for the other architectures), and that seems rather
more intrusive than I'd like.

I'm seriously considering knocking out auto-downloading in our ioquake3
packages (used by our quake3 and openarena packages) in time for wheezy,
too - it's less important there, because a more modern ioquake3 is
better-sandboxed, but it's still likely to mitigate future security issues.

Disabling auto-downloading will also mitigate any exploits we might find
in loaders for non-executable formats (images, models, sounds), but
that's not the primary purpose of this change.

Regards,
    S