Thanks Juan!

ioquake3-1.36-6.svn2102.2.mga1 is the updated package (RPM and SRPM).

Advisory:
========================

Updated ioquake3 package fixes security vulnerabilities:

It has been discovered that spoofed "getstatus" UDP requests are being
sent by attackers to servers for use with games derived from the
Quake 3 engine (such as openarena).  These servers respond with a
packet flood to the victim whose IP address was impersonated by the
attackers, causing a denial of service (CVE-2010-5077).

sys/sys_unix.c in the ioQuake3 engine on Unix and Linux, as used in
World of Padman 1.5.x before 1.5.1.1 and OpenArena 0.8.x-15 and
0.8.x-16, allows remote game servers to execute arbitrary commands via
shell metacharacters in a long fs_game variable (CVE-2011-1412).

The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the
ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin'
Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly
determine dangerous file extensions, which allows remote attackers to
execute arbitrary code via a crafted third-party addon that creates a
Trojan horse DLL file (CVE-2011-2764).

The ioQuake3 engine, as used in World of Padman 1.2 and earlier,
Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for
dangerous file extensions before writing to the quake3 directory,
which allows remote attackers to execute arbitrary code via a crafted
third-party addon that creates a Trojan horse DLL file (CVE-2011-3012).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3012
http://www.debian.org/security/2012/dsa-2442
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078387.html

CC: (none) => luigiwalser
Blocks: (none) => 5496
Assignee: bugsquad => qa-bugs

To QA: testing that ioq3demo works should be enough. Otherwise you can also test by downloading original pk3 files.

CC: (none) => stormi
Whiteboard: (none) => has_procedure

You need to download pk3 files to play the demo too, after verification.

I've been trying to use ioquake3 in Mageia 1 but without success. Juan, can you give us basic steps to follow to make it work, with demo data, free data or non-free data, anything provided we get a working game to check that it works?

Whiteboard: has_procedure => (none)

Sure, here are the instructions. It isn't trivial to get the demo running as it is a really old program, but here's how I got it running on mga 2:

1. Download the demo from ftp://ftp.fu-berlin.de/pc/games/idgames/idstuff/quake3/linux/linuxq3ademo-1.11-6.x86.gz.sh

2. Add execution permissions to the demo installer: chmod 755 linuxq3ademo-1.11-6.x86.gz.sh

3. Export this env var: export _POSIX2_VERSION=199209

4. Run it like ./linuxq3ademo-1.11-6.x86.gz.sh -target /tmp

5. Accept licence so it can uncompress, install, etc.

6. Go to /tmp/ and move the demoq3 folder to $HOME/.q3a (create that folder if it doesn't exist yet).

7. Install ioquake3 from core/updates_testing

8. On a terminal run ioquake3

Thanks Juan Luis Baptiste

I had to change step 4. (/tmp replaced with /tmp/test so that it can create the directory) so that I could reach step 8.

However, I can't make it work. Running ioquake3 fails with "pak0.pk3 is missing".

Now, I guess I must use q3demo instead, which:
- works with ioquake3-1.36-6.mga1.i586.rpm
- fails with ioquake3-1.36-6.svn2102.2.mga1, with message "Point Release files are missing. Please re-install the 1.32 point release. Also check that your ioq3 executable is in the correct place and that every file in the "baseq3" directory is present and readable"

Whiteboard: has_procedure => has_procedure feedback

I have the demo working with ioquake3-1.36-6.svn2102.2.mga1.i586.rpm.

When I first ran the game, it failed as it couldn't find libGL.so,
so I installed libmesagl1-devel and libmesagl1.

Are those dependencies required for ioquake3, or just the demo?

CC: (none) => davidwhodgins

(In reply to comment #7)
> I have the demo working with ioquake3-1.36-6.svn2102.2.mga1.i586.rpm.
> 
> When I first ran the game, it failed as it couldn't find libGL.so,
> so I installed libmesagl1-devel and libmesagl1.
> 
> Are those dependencies required for ioquake3, or just the demo?

After discussing on IRC, it appears that Dave tested the demo, but maybe not the mageia ioquake binaries. The problem raised at comment #6 remains.

(In reply to comment #6)
> However, I can't make it work. Running ioquake3 fails with "pak0.pk3 is
> missing".
> 

Please check that on $HOME/.q3a/demoq3 a file named pak0.pk3 exists.

(In reply to comment #9)
> (In reply to comment #6)
> > However, I can't make it work. Running ioquake3 fails with "pak0.pk3 is
> > missing".
> > 
> 
> Please check that on $HOME/.q3a/demoq3 a file named pak0.pk3 exists.

yes it exists, but not in $HOME/.q3a/baseq3 where ioquake3 looks for (ioq3demo, not q3demo like I wrote, looks in $HOME/.q3a/demoq3 that's why it works with the package from core release)

Try running it like this:

ioquake3 +set com_basegame demoq3

(In reply to comment #11)
> Try running it like this:
> 
> ioquake3 +set com_basegame demoq3

This doesn't work with the version in core/release (still doesn't find pak0.pk3), but with the version in updates_testing I got further. The game almost starts, but then it hangs. Looking at processes I found one with interesting information:

  PID TTY      STAT   TIME COMMAND
 6965 pts/4    S+     0:00 zenity --error --text=recursive error after: User Interface is version 3, expected 6. See "/home/samuel/.q3a/demoq3/crashlog.txt" for details. --title=Error

This version of ioquake3 seems very different from the one in core/release. Things that work with the old version don't with the new one, or require a different way, which is a big change for users. Is upgrading to it the only way to fix the security issues?

Also, what about the error message about missing point release files in the second part of comment #6?

Try this, additional to the instructions on comment #5 :

1. Download the latest pak files from http://ioquake3.org/files/1.36/data/ioquake3-q3a-1.32-9.run
2. Run that .sh then copy all the pak*.pk3 files to $HOME/.q3a/baseq3
3. Copy the pak0.pk3 of the demo that you previously put on demoq3 to baseq3.
4. Run ioquake3.

I was able to run the demo with ioquake3-1.36-svn2102 like that, but on mga 2 (I don't have a mga 1 at hand).

Testing mga1 i586

Following comment 5

$ ioquake3
ioq3 1.36 linux-i386 Aug 10 2012
Have SSE support
----- FS_Startup -----
Current search path:
/home/claire/.q3a/baseq3
/home/claire/.q3a/baseq3/pak0.pk3 (1387 files)
/usr/share/ioquake3/baseq3

----------------------
1387 files in pk3 files


**************************************************
WARNING: It looks like you're using pak0.pk3
from the demo. This may work fine, but it is not
guaranteed or supported.
**************************************************


Point Release files are missing. Please re-install the 1.32 point release. Also check that your ioq3 executable is in the correct place and that every file in the "baseq3" directory is present and readable

When I follow comment 13..

$ ./ioquake3-q3a-1.32-9.run 
Verifying archive integrity... All good.
Uncompressing Quake III Arena for ioquake3 1.32.................................................................................

Then it gives a popup saying I need to install ioquake3 before running the setup program.

$ rpm -q ioquake3
ioquake3-1.36-6.svn2102.2.mga1


Not really sure what I'm doing here or if this is expected.

It seems in mga2 the ioquake3-update command can be used to update the pak files. In mageia 1 though that command is not present.

Mga2:
$ urpmf ioquake3 | grep bin
ioquake3-demo:/usr/bin/ioquake3-demo
ioquake3:/usr/bin/ioq3ded
ioquake3:/usr/bin/ioquake3
ioquake3:/usr/bin/ioquake3-smp
ioquake3:/usr/bin/ioquake3-update

Core Release
ioquake3-1.36-9.svn2102.mga2

Mga1:
$ urpmf --media Testing ioquake3 | grep bin
ioquake3:/usr/bin/ioq3demo
ioquake3:/usr/bin/ioquake3

Core Updates Testing
ioquake3-1.36-6.svn2102.2.mga1


I think we will be limited in the amount of testing we are able to do. It does seem to be doing something which looks like it is doing what it is supposed to do but without being able to run the game we will not be able to verify it any further.

Whiteboard: has_procedure => has_procedure mga1-32-OK?

I don't know what is happening with the data files installer but try this:

1. Run ./ioquake3-q3a-1.32-9.run --target ./temp
2. Enter temp dir.
3. Extract the data files archive: tar xvf idpatchpk3s.tar
4. Move all the pak*.pk3 files to ~/.q3a/baseq3
5. Run ioquake3

It worked for me too.

Trying comment 16 on Mageia 1 x86-64, when I run ioquake3 ...

$ ioquake3 
/usr/bin/ioquake3: line 2: /usr/lib/ioquake3/ioquake3.sh: No such file or directory

Trying to run /usr/lib64/ioquake3/ioquake3.sh, I still get ...
"pak0.pk3" is missing. Please copy it from your legitimate Q3 CDROM. Also check that your ioq3 executable is in the correct place and that every file in the "baseq3" directory is present and readable. See "/home/dave/.q3a/baseq3/crashlog.txt" for details.

$ ll .q3a/baseq3/
total 25480
-rw-r----- 1 dave dave     735 Aug 30 22:53 crashlog.txt
-rw-r--r-- 1 dave dave  374405 Nov 13  2002 pak1.pk3
-rw-r--r-- 1 dave dave 7511182 Nov 13  2002 pak2.pk3
-rw-r--r-- 1 dave dave  276305 Nov 13  2002 pak3.pk3
-rw-r--r-- 1 dave dave 9600350 Nov 13  2002 pak4.pk3
-rw-r--r-- 1 dave dave  191872 Nov 13  2002 pak5.pk3
-rw-r--r-- 1 dave dave 7346884 Nov 13  2002 pak6.pk3
-rw-r--r-- 1 dave dave  320873 Nov 13  2002 pak7.pk3
-rw-r--r-- 1 dave dave  454478 Nov 13  2002 pak8.pk3

The story so far mga1 x86_64..

# urpmi ioquake3
To satisfy dependencies, the following packages are going to be installed:
   Package                        Version      Release       Arch   
(medium "Core Release")
  ioquake3                       1.36         6.mga1        x86_64  
  lib64openal1                   1.12.854     3.mga1        x86_64  
  openal                         1.12.854     3.mga1        x86_64  
11MB of additional disk space will be used.
2.5MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y

$ mkdir ioquake
$ cd ioquake
$ wget http://ioquake3.org/files/1.36/data/ioquake3-q3a-1.32-9.run

$ chmod u+x ioquake3-q3a-1.32-9.run 
$ ./ioquake3-q3a-1.32-9.run --target ./temp
Creating directory ./temp
Verifying archive integrity... All good.
Uncompressing Quake III Arena for ioquake3 1.32.................................................................................

$ cd temp
$ tar xvf idpatchpk3s.tar
./
./pak6.pk3
./pak8.pk3
./pak3.pk3
./pak2.pk3
./pak7.pk3
./pak1.pk3
./pak5.pk3
./pak4.pk3

$ mkdir -p ~/.q3a/baseq3
$ mv *.pk3 ~/.q3a/baseq3/
$ cd ..
$ wget ftp://ftp.fu-berlin.de/pc/games/idgames/idstuff/quake3/linux/linuxq3ademo-1.11-6.x86.gz.sh

$ chmod u+x linuxq3ademo-1.11-6.x86.gz.sh 
$ export _POSIX2_VERSION=199209
$ ./linuxq3ademo-1.11-6.x86.gz.sh -target ~/ioquake/tmp

$ cp tmp/demoq3/pak0.pk3 ~/.q3a/baseq3/
$ cd
$ ioquake3
/usr/bin/ioquake3: line 2: /usr/lib/ioquake3/ioquake3.sh: No such file or directory

$ ls -l /usr/lib/ioquake3/
ls: cannot access /usr/lib/ioquake3/: No such file or directory

$ urpmf /usr/lib/ioquake3/ioquake3.sh
ioquake3:/usr/lib/ioquake3/ioquake3.sh

$ rpm -q ioquake3                                           
ioquake3-1.36-6.mga1

$ cat /usr/bin/ioquake3
#!/bin/sh
exec /usr/lib/ioquake3/ioquake3.sh "$@"

$ urpmf ioquake3 | grep ioquake3.sh
ioquake3:/usr/lib64/ioquake3/ioquake3.sh
ioquake3:/usr/lib/ioquake3/ioquake3.sh

So it seems that in release version of 64 bit ioquake3 /usr/bin/ioquake3 refers to /usr/lib instead of /usr/lib64. Altering it to lib64 allows the game to start, but it does mean there is an error in the release version of ioquake3.

I'll install the update and see if it is fixed.

After installing the update..

installing ioquake3-1.36-6.svn2102.2.mga1.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ############################################
      1/1: ioquake3              ############################################

$ cat /usr/bin/ioquake3
#!/bin/sh
exec /usr/lib/ioquake3/ioquake3.sh "$@"

$ ioquake3
/usr/bin/ioquake3: line 2: /usr/lib/ioquake3/ioquake3.sh: No such file or directory

So there is a problem here. Once it is altered again, the game still runs.

Juan, thankyou so far but would you mind taking another look at this please.

Assigning Juan.

Could you please see comment 18 and comment 19

Please reassign to QA when you've had a chance to take a look at this.

Thanks

CC: (none) => qa-bugs
Assignee: qa-bugs => juan.baptiste

This message is a reminder that Mageia 1 is nearing its end of life. 
In approximately 25 days from now, Mageia will stop maintaining and issuing 
updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it 
remains open with a Mageia 'version' of '1'.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version prior to Mageia 1's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not 
be able to fix it before Mageia 1 is end of life.  If you would still like to see 
this bug fixed and are able to reproduce it against a later version of Mageia, 
you are encouraged to click on "Version" and change it against that version 
of Mageia.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

--
Mageia Bugsquad

Ping.  What's the status on this?

We're running out of time to fix things for Mageia 1.

Mageia 1 changed to end-of-life (EOL) status on ''1st December''. Mageia 1 is no 
longer maintained, which means that it will not receive any further security or 
bug fix updates. As a result we are closing this bug. 

If you can reproduce this bug against a currently maintained version of Mageia 
please feel free to click on "Version" change it against that version of Mageia and reopen this bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

--
Mageia Bugsquad

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX