severity 280573 important
thanks
On Sun, Jan 23, 2005 at 01:41:25PM +0100, Stefan Fritsch wrote:
> I am not a Debian developer, so I cannot make a NMU. I have made a
> patch however. Does this help? If you don't have time to apply it,
> please tell me as soon as possible, then I will try to find someone
> else to do a NMU. I would really like quake2 to be in sarge.
Thanks for the patch, I adapted it slightly, and NMU'd. This will make
this bug merely important, as the user is extensively warned about the
risks involved.
Maintainer, see below for the patch (excluding the config.{sub,guess}
update that happens automagically).
Thanks all!
--Jeroen
diff -u quake2-0.3/debian/quake2.6 quake2-0.3/debian/quake2.6
--- quake2-0.3/debian/quake2.6
+++ quake2-0.3/debian/quake2.6
@@ -12,6 +12,9 @@
.br
This manual page was written for the Debian GNU/Linux distribution
because the original program does not have a manual page.
+.sp 1
+\fBWARNING:\fP The network part of Quake 2 has several unfixed security
+problems. You should not use Quake 2 in untrusted networks.
.PP
.\" TeX users may be more comfortable with the \fB<whatever>\fP and
.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
@@ -63,6 +66,9 @@
The model viewer in Multiplayer->player setup displays the skins incorrectly.
.sp 1
If you upgrade this package, your savegames will not work, due to the way
savegames are made.
+.sp 1
+There are several unfixed security issues in the network code. Do not use in
+untrusted networks.
.SH AUTHOR
.B quake2
was originally written by iD Software.
diff -u quake2-0.3/debian/rules quake2-0.3/debian/rules
--- quake2-0.3/debian/rules
+++ quake2-0.3/debian/rules
@@ -58,6 +58,9 @@
$(MAKE) install DESTDIR=$(CURDIR)/debian/quake2
install -p -m 644 debian/quake2.xpm debian/quake2/usr/share/pixmaps/
install -p -m 644 debian/quake2ctf.xpm debian/quake2/usr/share/pixmaps/
+ mv debian/quake2/usr/games/quake2 \
+ debian/quake2/usr/lib/games/quake2/quake2.real
+ install -p debian/quake2.wrapper debian/quake2/usr/games/quake2
# Build architecture-independent files here.
# Pass -i to all debhelper commands in this target to reduce clutter.
diff -u quake2-0.3/debian/control quake2-0.3/debian/control
--- quake2-0.3/debian/control
+++ quake2-0.3/debian/control
@@ -23,0 +24,3 @@
+ .
+ NOTE: The network part of Quake II has several unfixed security problems.
+ It should not be used in untrusted networks.
diff -u quake2-0.3/debian/changelog quake2-0.3/debian/changelog
--- quake2-0.3/debian/changelog
+++ quake2-0.3/debian/changelog
@@ -1,3 +1,12 @@
+quake2 (1:0.3-1.1) unstable; urgency=medium
+
+ * Non-Maintainer Upload on suggestion of maintainer
+ * Add warnings about security problems in networking code, downgrading bug
+ #280573. Thanks to Stefan Fritsch <[EMAIL PROTECTED]> for providing patches
+ to do so.
+
+ -- Jeroen van Wolffelaar <[EMAIL PROTECTED]> Mon, 25 Apr 2005 14:11:02 +0200
+
quake2 (1:0.3-1) unstable; urgency=low
* The "I bought my laptop for this bug" release.
--- quake2-0.3.orig/debian/NEWS
+++ quake2-0.3/debian/NEWS
@@ -0,0 +1,17 @@
+quake2 (1:0.3-1.1) unstable; urgency=medium
+
+ The networking part of Quake II (especially the server part) contains
+ several unfixed security issues. Therefore, Quake II should not be
+ used over untrusted networks (like the internet). The version
+ included in Debian is intended only for local playing.
+
+ See [1] for details. A (hopefully) secure version of the server is
+ available at [2].
+
+ For more information, see Debian bug #280573[3]
+
+ [1] http://archives.neohapsis.com/archives/bugtraq/2004-10/0299.html
+ [2] http://www.r1ch.net/stuff/r1q2/
+ [3] http://bugs.debian.org/280573
+
+ -- Jeroen van Wolffelaar <[EMAIL PROTECTED]> Mon, 25 Apr 2005 14:11:02 +0200
--- quake2-0.3.orig/debian/quake2.wrapper
+++ quake2-0.3/debian/quake2.wrapper
@@ -0,0 +1,24 @@
+#!/bin/bash
+cat <<_EOF_
+***** WARNING *****
+
+ The networking part of Quake II (especially the server part) contains
+ several unfixed security issues. Therefore, Quake II should not be
+ used over untrusted networks (like the internet). The version
+ included in Debian is intended only for local play.
+
+ See for an possibly non-exhaustive list of issues:
+ http://archives.neohapsis.com/archives/bugtraq/2004-10/0299.html
+ http://www.r1ch.net/stuff/r1q2/
+ http://bugs.debian.org/280573
+
+*******************
+
+Do you understand the security implications of continuing?
+_EOF_
+
+read answer
+case "$answer" in
+y*) exec /usr/lib/games/quake2/quake2.real "$@" ;;
+*) exit 1
+esac
--
Jeroen van Wolffelaar
[EMAIL PROTECTED]
http://jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
