OpenArena Message Boards

id Tech 3 => Engine => Topic started by: smcv on March 14, 2017, 12:26:15 PM



Title: Another ioquake3 vulnerability. Turning off auto-downloading recommended
Post by: smcv on March 14, 2017, 12:26:15 PM
This ioquake3 vulnerability almost certainly affects OpenArena:

https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/

Mitigation: turn off auto-downloading.

The openarena package in Debian unstable uses Debian's copy of ioquake3, which I fixed this morning for unstable. The ioquake3 packages in Debian stable and testing will be fixed soon.

For the people who get their binaries directly from openarena.ws instead of from Linux distributions, it would be great if someone could do an OpenArena 0.8.9 (or 0.8.8.1 or whatever) engine release with the various security fixes that have happened since 0.8.8, and publish that alongside the rest of the "official" 0.8.8 downloads.

----

Editorial:

Don't use auto-downloading, and don't let your friends use auto-downloading.

Auto-downloading lets malicious server admins send you malware. Auto-downloading also lets malicious people who are not server admins send you malware (one of the OpenJK developers has tried it and reports that it isn't very difficult). The Internet has a lot of malicious people, some of them literally members of organised crime syndicates. I strongly recommend not making yourself an easy target.

While the ioquake3 maintainers are continuing to patch the worst issues, the fundamental problem remains: if auto-downloading is enabled, the idTech3 (Quake 3) engine is downloading executable code (whether in the form of QVM bytecode, or exec'able cfg files, or whatever else) over an authenticated channel, and then running it.

There is currently no way to have auto-downloading for "safe" content (like maps) without also getting auto-downloading for unsafe executable code. I'm working on it (see another topic).


Title: Re: Another ioquake3 vulnerability. Turning off auto-downloading recommended
Post by: fromhell on March 14, 2017, 05:00:24 PM
Auto-downloading's already off by default in the 0.8.8 release package (or it should be, for basic non-Free content precedents and security measures).  The OA3 engine (on the github) does not use the affected cl_renderer cvar and doesn't currently build the external renderer modules.  Also 0.8.8 predates the whole renderer module system at that

A hotfix patch could be made, but not another big full release, and i'm wondering whether that should be made on the old 0.8.8 engine or the github engine, because on the latter would probably upset some players used to 0.8.8's feel (It has a load of renderer changes not found in 088 or ioq3)


(Note for vanilla q3 players - this is not an issue in Q3)


Title: Re: Another ioquake3 vulnerability. Turning off auto-downloading recommended
Post by: Neon_Knight on March 14, 2017, 05:45:53 PM
To think there were TONS of requests for autodownload to be set on by default on OA... and now there's this, LOL.


Title: Re: Another ioquake3 vulnerability. Turning off auto-downloading recommended
Post by: Gig on March 15, 2017, 04:13:15 AM
There is currently no way to have auto-downloading for "safe" content (like maps) without also getting auto-downloading for unsafe executable code. I'm working on it (see another topic).
For the sake of completeness:
http://openarena.ws/board/index.php?topic=5329.0
https://github.com/ioquake/ioq3/issues/130