Important Security Update: Please Update ioquake3 Immediately


#1

Originally published at: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/

Please immediately update ioquake3 to the latest test build before you connect to any online servers. Despite the name, the test builds are in fact way more stable and secure than any release at this time. In doing so you’ll also receive access to all kinds of other updates and changes that we’ve made since…


#2

8 posts were merged into an existing topic: New filesystem project


#3

Despite the name, the test builds are in fact way more stable and secure than any release at this time.

If you have to advise against using your stable builds, I guess that means you should make a release? It would also be much easier for Linux distros to grab a new stable release that fixes a security vulnerability than to have to package the latest commit from your git repo’s master branch (assuming it matches those “test builds”, I haven’t looked yet).

Edit: Just looked it up, it seems it has been 8 years since the last 1.36 release. It’s really time to release something new. My distro (Mageia) still packages a snapshot from icculus’ SVN repo (rev 2102), no idea how old that is, but likely quite old. I’ll take over that package’s maintainership and update it to the latest git, but that shows how dearly you guys need to put out a proper release.


#6

We need a build engineer to update installers and help us modernize for today’s platforms.


#12

So, I grabbed the “test build” extracted it and was running just fine. I hadn’t realized a problem until I tried to install ioquake3 on another desktop. The x64 client can’t connect to my linux server because of “UnPure pk3 files”. Works fine if I use the original file. Is this correct, or am I missing something?


#13

Do you mean the test build client can connect to the server from one machine but not the other, or that it can’t connect from any machine? Is this server Internet-accessible, so that I could try to connect to it and reproduce the problem?


#14

Quake 3: 68.36.216.253:27960

ioquake3.x86.exe (1332 KB) can connect and play, but ioquake3x86_64.exe can NOT play - it gets kicked for unpure pk3.

I even copied all the pk3’s (and there are a lot) from the server to the client machine, and I still get kicked. I then tried just the basic pak0.pk3 files, and a stock map, and still get kicked.


#15

Thanks, I was able to connect to the server and reproduce the problem. It appears the pure list (sv_paks) is not being set correctly on the server, due to an overflow from too many pk3s. Specifically, I suspect the BIG_INFO_STRING limit is being hit in Info_SetValueForKey_Big on sv_paks, preventing it from being placed in the systeminfo.

As for why the test builds failed to connect while older versions succeeded, it might be related to the newer versions being more eager to load qvm files outside of pk3s, which causes the pure verfication check to fail. When I ran the test builds with the baseq3/vm folder (that comes from the test build zip) excluded, I was able to connect to the server like with the old versions.

The overall solution to the problem is to set sv_pure to 0 on the server, or have a smaller number of paks on the server. This should probably also be addressed as a bug in ioq3, since there should be better checks and handling of this kind of overflow.


#16

Thanks for your help. I trimmed the baseq3 to 1.8 gigs. it was probably around 2.7. I found out years ago that my q3 client wouldn’t load after I hit the 2.7 mark. I’m able to connect now with the 64 client.

Thanks again.