Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Simon McVittie smcv at debian.org
Tue Sep 4 10:00:17 UTC 2012 

Package: ioquake3
Version: 1.36+svn2287-1
Severity: important
Tags: patch
X-Debbugs-Cc: debian-release at lists.debian.org
X-Debbugs-Cc: debian-devel-games at lists.debian.org

I am considering removing the cl_allowDownload option from the ioquake3
client, effectively forcing its value to "disabled" (further details below).
The effect of this option is:

* if disabled (or patched out), joining "modded" game servers will require
  users to download and install any "mods" active on that server manually

* if enabled, "mods" are automatically downloaded; if certain security flaws
  exist in ioquake3, a malicious server operator or a man-in-the-middle
  could exercise those flaws (worst-case: arbitrary code execution) by
  encouraging users to join a game server

This is basically a trade-off between convenience and mitigating security
vulnerabilities. I say "mitigating" because a user could always install
a malicious mod to ~/.q3a or ~/.openarena manually, with the same result
as if they had auto-downloaded it.

I am not aware of any current vulnerabilities that could be exploited in
this way, but see below for a list of past vulnerabilities that would have
been mitigated by this change.

Games team: what are your thoughts about this? Should we give users the
freedom to shoot themselves in the foot, or patch this feature out?
Should we reinstate the feature in unstable after wheezy releases, or
leave it out permanently?

Release team: would you consider a freeze exception for this? I attach
draft patches (I'd replace nnnnnn with this bug number and UNRELEASED
with unstable, obviously). Only the ioquake3 one is strictly necessary,
but it would leave a useless and misleading menu option in openarena, so
I would prefer to patch openarena too.

The next "obvious" revision numbers (ioquake3 1.36+svn2287-2,
openarena 0.8.8-6) are already in use in experimental, so if I upload
these, I'm going to version them like a stable update. Let me know if you
would prefer me to use -X+wheezyY for the revision numbers rather
than -X+deb70+Y, or something else entirely.

    S

----

Further explanation:

The ioquake3 engine is used in openarena (main/games) and quake3
(contrib/games). When used as a network client, it has the option to
auto-download required data from the game server, or (as one of the
ioquake3 enhancements to the Quake III Arena engine) from a HTTP or FTP
server nominated by the server administrator. By design, auto-downloaded
packages are not signed or authenticated (server administrators can add
arbitrary "mods").

As well as "safe" data (maps, 3D models etc.), auto-downloaded packages
can include executable bytecode (cgame.qvm, ui.qvm), which will be run by
the client using a JIT or interpreter. The JIT/interpreter acts as a simple
sandbox, and known vulnerabilities in it have been treated as security
issues and fixed. To the best of my knowledge, there has not been a
systematic audit.

Unfortunately, it is not currently possible to auto-download "safe" files
(maps, models, textures, music etc.) but reject executable bytecode.
I hope to add that feature in time for Debian 8, and make it the default.

During squeeze updates to tremulous (which uses a fork of ioquake3), I
patched out auto-downloading support. I am now considering doing the
same to ioquake3 itself before wheezy is released: this would mean that
any vulnerabilities discovered in the bytecode JIT/interpreter would
not affect wheezy.

However, this would remove an apparently-intentional feature, making it
harder for Debian users to join "modded" servers. In Quake III Arena
(quake3, contrib/games) enabling client-side auto-downloading requires
console commands; in OpenArena (openarena, main/games) the feature
can be enabled through the GUI. In both cases it is off by default.
Server administrators and gaming communities frequently encourage users
to switch on this feature, apparently without considering its security
implications.

Here are some past Quake III Arena CVEs and whether this change would have
mitigated them:

               affects   impact   mitigated by this?
CVE-2001-1289   server    DoS         no
CVE-2005-0430   server    DoS         no
CVE-2005-0983   client    DoS         no
CVE-2006-2082   server  info disclos  no
CVE-2006-2236   client   code exec    no
CVE-2007-2785   client   code exec    yes
CVE-2006-3324   client   file write   yes
CVE-2006-3325   client   code exec?   partially?
CVE-2006-3400   client   code exec?   no
CVE-2006-3401   client   code exec    yes?
CVE-2011-1412   client   code exec    no
CVE-2011-2764   client   code exec    yes
CVE-2012-3345   both     file write   no

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ioquake3 depends on:
ii  libc6                     2.13-35
ii  libcurl3-gnutls           7.27.0-1
ii  libgl1-mesa-glx [libgl1]  8.0.4-2
ii  libjpeg8                  8d-1
ii  libogg0                   1.3.0-4
ii  libopenal1                1:1.14-4
ii  libsdl1.2debian           1.2.15-5
ii  libspeex1                 1.2~rc1-6
ii  libspeexdsp1              1.2~rc1-6
ii  libvorbis0a               1.3.2-1.3
ii  libvorbisfile3            1.3.2-1.3
ii  zlib1g                    1:1.2.7.dfsg-13

Versions of packages ioquake3 recommends:
ii  x11-utils  7.7~1
ii  zenity     3.4.0-2

ioquake3 suggests no packages.

Versions of packages ioquake3 is related to:
ii  libgl1-mesa-dri  8.0.4-2

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ioquake3.diff
Type: text/x-diff
Size: 3973 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120904/57c4a873/attachment-0002.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openarena.diff
Type: text/x-diff
Size: 9249 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120904/57c4a873/attachment-0003.diff>

More information about the Pkg-games-devel mailing list