Pages: [1]
Author Topic: Another ioquake3 vulnerability. Turning off auto-downloading recommended  (Read 5881 times)

Cakes 5
Posts: 23

ioquake3/OA/Q3 Debian maintainer

« on: March 14, 2017, 12:26:15 PM »

This ioquake3 vulnerability almost certainly affects OpenArena:

Mitigation: turn off auto-downloading.

The openarena package in Debian unstable uses Debian's copy of ioquake3, which I fixed this morning for unstable. The ioquake3 packages in Debian stable and testing will be fixed soon.

For the people who get their binaries directly from instead of from Linux distributions, it would be great if someone could do an OpenArena 0.8.9 (or or whatever) engine release with the various security fixes that have happened since 0.8.alien and publish that alongside the rest of the "official" 0.8.8 downloads.



Don't use auto-downloading, and don't let your friends use auto-downloading.

Auto-downloading lets malicious server admins send you malware. Auto-downloading also lets malicious people who are not server admins send you malware (one of the OpenJK developers has tried it and reports that it isn't very difficult). The Internet has a lot of malicious people, some of them literally members of organised crime syndicates. I strongly recommend not making yourself an easy target.

While the ioquake3 maintainers are continuing to patch the worst issues, the fundamental problem remains: if auto-downloading is enabled, the idTech3 (Quake 3) engine is downloading executable code (whether in the form of QVM bytecode, or exec'able cfg files, or whatever else) over an authenticated channel, and then running it.

There is currently no way to have auto-downloading for "safe" content (like maps) without also getting auto-downloading for unsafe executable code. I'm working on it (see another topic).

Cakes 35
Posts: 14520

« Reply #1 on: March 14, 2017, 05:00:24 PM »

Auto-downloading's already off by default in the 0.8.8 release package (or it should be, for basic non-Free content precedents and security measures).  The OA3 engine (on the github) does not use the affected cl_renderer cvar and doesn't currently build the external renderer modules.  Also 0.8.8 predates the whole renderer module system at that

A hotfix patch could be made, but not another big full release, and i'm wondering whether that should be made on the old 0.8.8 engine or the github engine, because on the latter would probably upset some players used to 0.8.8's feel (It has a load of renderer changes not found in 088 or ioq3)

(Note for vanilla q3 players - this is not an issue in Q3)
« Last Edit: March 14, 2017, 05:19:10 PM by fromhell » Logged

asking when OA3 will be done won't get OA3 done.
Progress of OA3 currently occurs behind closed doors alone

I do not provide technical support either.

new code development on github
In the year 3000

Cakes 49
Posts: 3775

Trickster God.

« Reply #2 on: March 14, 2017, 05:45:53 PM »

To think there were TONS of requests for autodownload to be set on by default on OA... and now there's this, LOL.

"Detailed" is nice, but if it gets in the way of clarity, it ceases being a nice addition and becomes a problem. - TVT
Want to contribute? Read this.
In the year 3000

Cakes 45
Posts: 4393

« Reply #3 on: March 15, 2017, 04:13:15 AM »

There is currently no way to have auto-downloading for "safe" content (like maps) without also getting auto-downloading for unsafe executable code. I'm working on it (see another topic).
For the sake of completeness:

I never want to be aggressive, offensive or ironic with my posts. If you find something offending in my posts, read them again searching for a different mood there. If you still see something bad with them, please ask me infos. I can be wrong at times, but I never want to upset anyone.
Pages: [1]
Jump to: