Bug#857699: marked as done (ioquake3 has a security vulnerability)

[Debian Bug Tracking System]

Your message dated Tue, 14 Mar 2017 11:34:06 +0000
with message-id <e1cnkim-000bjj...@fasolo.debian.org>
and subject line Bug#857699: fixed in ioquake3 1.36+u20161101+dfsg1-2
has caused the Debian Bug report #857699,
regarding ioquake3 has a security vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857699: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ioquake3
Version: 1.36
Severity: grave

Hi,

earlier today ioquake3 fixed a vulnerability that, as far as I understand, could let malicious multiplayer servers execute code on connecting clients. It affects all prior versions of ioquake3 (and I think also original Quake 3). Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/

So you should probably update to latest ioq3 git or backport the fix.

Cheers,
Daniel

--- End Message ---

--- Begin Message ---

Source: ioquake3
Source-Version: 1.36+u20161101+dfsg1-2

We believe that the bug you reported is fixed in the latest version of
ioquake3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated ioquake3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Mar 2017 10:14:37 +0000
Source: ioquake3
Binary: ioquake3 ioquake3-server
Architecture: source
Version: 1.36+u20161101+dfsg1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Closes: 857699
Description: 
 ioquake3   - Game engine for 3D first person shooter games
 ioquake3-server - Engine for 3D first person shooter games - server and common 
file
Changes:
 ioquake3 (1.36+u20161101+dfsg1-2) unstable; urgency=high
 .
   * d/gbp.conf: switch branch to debian/stretch for updates during freeze
   * d/patches: Add patches from upstream fixing security vulnerabilities
     - refuse to load potentially auto-downloadable .pk3 files as
       ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers
       (mitigation: auto-downloading is off by default, and in Debian
       we do not dlopen libcurl anyway)
     - refuse to load default configuration file names from a .pk3 file
     - protect cl_renderer, cl_curllib, s_aldriver configuration variables so
       game code cannot set them
     - refuse to overwrite files other than *.txt with the dump console
       command
     - refuse to overwrite files other than *.cfg with the writeconfig
       console command
     (Closes: #857699)
   * Add patch adapted from openarena to request confirmation before
     enabling auto-downloading if the native-code Quake III Arena UI is
     in use. Unfortunately this is not the case with quake3_46, but
     I'm adding this patch in the hope that the wrapper script can
     be fixed before the stretch release.
Checksums-Sha1: 
 1adab89d94cbca12e0b179c28fe3129909d926dd 2282 
ioquake3_1.36+u20161101+dfsg1-2.dsc
 7c24401725022ed771ebff6fbe5e34ae0c62c232 23452 
ioquake3_1.36+u20161101+dfsg1-2.debian.tar.xz
Checksums-Sha256: 
 86a1fe924bdee35b8cab6c6bc251d234be0c2215b42b07d4b41cc0014b1449cd 2282 
ioquake3_1.36+u20161101+dfsg1-2.dsc
 535409e893435114084a6be622a184e8f0ca363b6b55b07f20b7a6032d43944b 23452 
ioquake3_1.36+u20161101+dfsg1-2.debian.tar.xz
Files: 
 f36925586f5c1e7a7c7a49e0982f5bd4 2282 games optional 
ioquake3_1.36+u20161101+dfsg1-2.dsc
 f5274bfa25819640988c0d67f70e2094 23452 games optional 
ioquake3_1.36+u20161101+dfsg1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAljHz78ACgkQTej/KmPH
zJCiCw//VnaVmg7FtmRo/XW9uef7xN5UsXo+YFoLq7ygALm1NA8PTBZDycQB9qQX
ApCfltshUEXVuPEPbapBvfoux7iqHzQCKDQBa8FJjZiVRwTRZL4vzVSLOIIn1wCI
hKYjeuRnlKbh8kaxeHN4fgpNsznZ9wWSYOYVhL/apiaasuUU4VCVnxVXmASNfJZ+
XFEZnMR3/aovSo9uZr/lFPbqc0NHziRl+/huQj1dfmA5zTPDTLVy5cyRcXxZP69K
BpvLSc890NjDSnwQi65KkhouKYLpWzjOH6b4DlkUEpRGMVLMhkYRfY+TRBiNjE3T
+7s19DJpnMZZG6HWUrAWxbiyMvMNtI9st/7jvyGxp/YZ9Yt23JWBx5bWTcPBTm4t
YN1bburbF3twamfjU8buGP6pzG8bvMMod+EGajxzLbAZKbQyMdcczyaS4wkoGT75
O39feqDM6ySkckjqNhj+zv/dwHITz14QRWT9mMQMNSAkoC94iVoXyroLSJqvFYDB
r14TsLKYHzsYOdfwAc+LVVvBFzb3+RG4hPDqsQIFFNIkLwyyPr2iURtghURT8brQ
kkmhuJSIhw3z4XHyGHusqJhrpNiHmwA0MbQEZ2GmXu2gUR+Ny9Cbl1VoEUxWx91e
QX3WttTkCDq/cNQUMQ3a0qXb4R2XJ0+LuwSrZZm6Uh+1ye8si48=
=giQ/
-----END PGP SIGNATURE-----

--- End Message ---