Debian Bug report logs - #686648
ioquake3: consider disallowing auto-downloading in wheezy

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ioquake3: consider disallowing auto-downloading in wheezy

Date: Tue, 4 Sep 2012 11:00:17 +0100

[Message part 1 (text/plain, inline)]

Package: ioquake3
Version: 1.36+svn2287-1
Severity: important
Tags: patch
X-Debbugs-Cc: debian-release@lists.debian.org
X-Debbugs-Cc: debian-devel-games@lists.debian.org

I am considering removing the cl_allowDownload option from the ioquake3
client, effectively forcing its value to "disabled" (further details below).
The effect of this option is:

* if disabled (or patched out), joining "modded" game servers will require
  users to download and install any "mods" active on that server manually

* if enabled, "mods" are automatically downloaded; if certain security flaws
  exist in ioquake3, a malicious server operator or a man-in-the-middle
  could exercise those flaws (worst-case: arbitrary code execution) by
  encouraging users to join a game server

This is basically a trade-off between convenience and mitigating security
vulnerabilities. I say "mitigating" because a user could always install
a malicious mod to ~/.q3a or ~/.openarena manually, with the same result
as if they had auto-downloaded it.

I am not aware of any current vulnerabilities that could be exploited in
this way, but see below for a list of past vulnerabilities that would have
been mitigated by this change.

Games team: what are your thoughts about this? Should we give users the
freedom to shoot themselves in the foot, or patch this feature out?
Should we reinstate the feature in unstable after wheezy releases, or
leave it out permanently?

Release team: would you consider a freeze exception for this? I attach
draft patches (I'd replace nnnnnn with this bug number and UNRELEASED
with unstable, obviously). Only the ioquake3 one is strictly necessary,
but it would leave a useless and misleading menu option in openarena, so
I would prefer to patch openarena too.

The next "obvious" revision numbers (ioquake3 1.36+svn2287-2,
openarena 0.8.8-6) are already in use in experimental, so if I upload
these, I'm going to version them like a stable update. Let me know if you
would prefer me to use -X+wheezyY for the revision numbers rather
than -X+deb70+Y, or something else entirely.

    S

----

Further explanation:

The ioquake3 engine is used in openarena (main/games) and quake3
(contrib/games). When used as a network client, it has the option to
auto-download required data from the game server, or (as one of the
ioquake3 enhancements to the Quake III Arena engine) from a HTTP or FTP
server nominated by the server administrator. By design, auto-downloaded
packages are not signed or authenticated (server administrators can add
arbitrary "mods").

As well as "safe" data (maps, 3D models etc.), auto-downloaded packages
can include executable bytecode (cgame.qvm, ui.qvm), which will be run by
the client using a JIT or interpreter. The JIT/interpreter acts as a simple
sandbox, and known vulnerabilities in it have been treated as security
issues and fixed. To the best of my knowledge, there has not been a
systematic audit.

Unfortunately, it is not currently possible to auto-download "safe" files
(maps, models, textures, music etc.) but reject executable bytecode.
I hope to add that feature in time for Debian 8, and make it the default.

During squeeze updates to tremulous (which uses a fork of ioquake3), I
patched out auto-downloading support. I am now considering doing the
same to ioquake3 itself before wheezy is released: this would mean that
any vulnerabilities discovered in the bytecode JIT/interpreter would
not affect wheezy.

However, this would remove an apparently-intentional feature, making it
harder for Debian users to join "modded" servers. In Quake III Arena
(quake3, contrib/games) enabling client-side auto-downloading requires
console commands; in OpenArena (openarena, main/games) the feature
can be enabled through the GUI. In both cases it is off by default.
Server administrators and gaming communities frequently encourage users
to switch on this feature, apparently without considering its security
implications.

Here are some past Quake III Arena CVEs and whether this change would have
mitigated them:

               affects   impact   mitigated by this?
CVE-2001-1289   server    DoS         no
CVE-2005-0430   server    DoS         no
CVE-2005-0983   client    DoS         no
CVE-2006-2082   server  info disclos  no
CVE-2006-2236   client   code exec    no
CVE-2007-2785   client   code exec    yes
CVE-2006-3324   client   file write   yes
CVE-2006-3325   client   code exec?   partially?
CVE-2006-3400   client   code exec?   no
CVE-2006-3401   client   code exec    yes?
CVE-2011-1412   client   code exec    no
CVE-2011-2764   client   code exec    yes
CVE-2012-3345   both     file write   no

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ioquake3 depends on:
ii  libc6                     2.13-35
ii  libcurl3-gnutls           7.27.0-1
ii  libgl1-mesa-glx [libgl1]  8.0.4-2
ii  libjpeg8                  8d-1
ii  libogg0                   1.3.0-4
ii  libopenal1                1:1.14-4
ii  libsdl1.2debian           1.2.15-5
ii  libspeex1                 1.2~rc1-6
ii  libspeexdsp1              1.2~rc1-6
ii  libvorbis0a               1.3.2-1.3
ii  libvorbisfile3            1.3.2-1.3
ii  zlib1g                    1:1.2.7.dfsg-13

Versions of packages ioquake3 recommends:
ii  x11-utils  7.7~1
ii  zenity     3.4.0-2

ioquake3 suggests no packages.

Versions of packages ioquake3 is related to:
ii  libgl1-mesa-dri  8.0.4-2

-- no debconf information

[ioquake3.diff (text/x-diff, attachment)]

[openarena.diff (text/x-diff, attachment)]

Message #10 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 686648@bugs.debian.org

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Tue, 4 Sep 2012 15:42:21 +0200

[Message part 1 (text/plain, inline)]

Hi,

i've been running an openarena server for 6 months now and although i'm
just an ordinary user i wanted to share my thoughts on this bug.

I agree with your conclusions and how you contrast the pros and cons. I
personally could live without automatic downloading. But the question is if
other players, the casual user, would see it as an improvement of security or as an
unnecessary inconvenience forced on them by Debian because your change
would not only affect mods but also the download of official maps. 

In practice this would force players to download custom maps and even
new versions of base maps manually from more or less trustworthy servers.

For example Ubuntu players are playing with version 0.8.5 at the moment
and my Debian server is running 0.8.8. If cl_allowDownload was
permanently disabled all players which run an older version wouldn't be
able to join my server although they only had to download the
pak6-patch088.pk3.

In fact when i had disabled cl_allowDownload on the server a
considerable smaller number of players joined the server. Thus disabling
allowDownload on the client would very likely force these casual players
to play on servers with an outdated version which would give them a
false impression of the actual development of Openarena. 

Please consider a second alternative:

  * Automatic downloading is disabled on the first start thus OpenArena is
    secure by default. 
  * You could also move the menu option for auto downloading to the
    bottom and improve the description. "Warning: Enabling of auto
    downloading *could* lead to security implications. Worst case:
    Execution of arbitrary code. Please visit <link to the Debian Wiki>
    and carefully read about the alternatives *before* you enable this option.

No matter which alternative you prefer please make sure that every user
knows about the information on the Debian Wiki and that they are pointed
to the official Debian ftp servers where they can obtain new pak files.

Finally i wonder how other distributions deal with this potential
security flaw and whether they would follow Debian. Then either this is
a serious issue or not thus automatic downloading should be completly
removed. If not then in my opinion it's better to improve the description
than to walk a seperate path. 

Kind regards
Markus Koschany

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Stefan Potyra <sistpoty@ubuntu.com>

To: 686648@bugs.debian.org

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Tue, 4 Sep 2012 21:03:48 +0200

[Message part 1 (text/plain, inline)]

Hi,

first off, big thanks to everybody involved in maintaining ioquake. You've
done a great job!

On Tue, Sep 04, 2012 at 03:42:21PM +0200, Markus Koschany wrote:
> In practice this would force players to download custom maps and even
> new versions of base maps manually from more or less trustworthy servers.

*nod*. I doubt it'll add much to security, as people will manually dl maps from
possibly untrusted servers by-hand then.

Also I think it must be almost a year that I last played on the line, custom
maps (and mods) were still quite widespread. Of course I may be biased, since I
prefer servers with the instagib mod ;).

> Please consider a second alternative:
> 
>   * Automatic downloading is disabled on the first start thus OpenArena is
>     secure by default. 
>   * You could also move the menu option for auto downloading to the
>     bottom and improve the description. "Warning: Enabling of auto
>     downloading *could* lead to security implications. Worst case:
>     Execution of arbitrary code. Please visit <link to the Debian Wiki>
>     and carefully read about the alternatives *before* you enable this option.
>
*nod*.

Maybe there's another measure to mitigate against some effects of malicious
downloads: Can access of ioquake3 (and games using it) be restricted
somehow? (apparmor or selinux comes to my mind, but I must admit that I don't
have much clue with that).

Cheers,
  Stefan.

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>

To: Markus Koschany <apo@gambaru.de>, 686648@bugs.debian.org

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Wed, 05 Sep 2012 09:25:43 +0200

Am 04.09.2012 15:42, schrieb Markus Koschany:
>    * Automatic downloading is disabled on the first start thus OpenArena is
>      secure by default.
>    * You could also move the menu option for auto downloading to the
>      bottom and improve the description. "Warning: Enabling of auto
>      downloading *could* lead to security implications. Worst case:
>      Execution of arbitrary code. Please visit <link to the Debian Wiki>
>      and carefully read about the alternatives *before* you enable this option.

This sounds very reasonable.

I am all for warning users but still leaving them in the position to 
shoot themselves in the foot - instead of second-guessing and 
disabling a feature that they might explicitely want to use, even if 
they are made aware of the security implications it may bring.

 - Fabian

Message #25 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Markus Koschany <apo@gambaru.de>, 686648@bugs.debian.org, Stefan Potyra <sistpoty@ubuntu.com>, Fabian Greffrath <fabian@greffrath.com>, debian-devel-games@lists.debian.org

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Fri, 14 Sep 2012 10:47:53 +0100

-devel-games: this summarizes feedback from the bug, which was pretty
similar to what you said: everyone wants a "this is not safe, do it
anyway? [Y/N]" prompt, rather than knocking out cl_allowDownload altogether.
Please reply to both the list and the bug.

On Tue, 04 Sep 2012 at 15:42:21 +0200, Markus Koschany wrote:
> In practice this would force players to download custom maps and even
> new versions of base maps manually from more or less trustworthy servers.

Yes, I do see the problem. If people are willing to download
potentially-executable code from arbitrary sources, then there's nothing
we can do to make them secure.

It's a pity there isn't a distinction between executable and non-executable
game content - if you could auto-download PK3s, but those PK3s were flagged
as "not to be searched for QVMs" somehow, then everything would be secure -
but there isn't, and realistically, this isn't going to change before
wheezy.

Unfortunately, some use cases for auto-downloading do rely on executing
downloaded code:

> For example Ubuntu players are playing with version 0.8.5 at the moment
> and my Debian server is running 0.8.8. If cl_allowDownload was
> permanently disabled all players which run an older version wouldn't be
> able to join my server although they only had to download the
> pak6-patch088.pk3.

As far as I can see, my proposal would not break this. Auto-downloading is
possible if the server has sv_allowDownload true and the client has
cl_allowDownload true: my proposal was to knock out cl_allowDownload, but
leave sv_allowDownload working. Older clients could still download your
pak6-patch088.pk3, but Debian clients on a future 0.9.0 server would not
auto-download.

If client auto-downloading was allowed but bytecode in auto-downloaded
PK3s was prevented from being being executed, this use-case would still
fail for updated clients, though: upstream's pak6-patch088.pk3 contains
updated cgame and ui code.

(Debian's doesn't, because we don't have a Free compiler for it; we run
equivalent native-code game logic from the openarena package instead.)

>   * Automatic downloading is disabled on the first start thus OpenArena is
>     secure by default. 

This is already the case; the default has always been cl_allowDownload = 0.

>   * You could also move the menu option for auto downloading to the
>     bottom and improve the description. "Warning: Enabling of auto
>     downloading *could* lead to security implications. Worst case:
>     Execution of arbitrary code. Please visit <link to the Debian Wiki>
>     and carefully read about the alternatives *before* you enable this option.

Unfortunately, the Quake 3 engine's UI toolkit is not very good at
displaying significant amounts of text (it's done in a very low-res style),
and the text I put in the confirmation box comes out in all-caps anyway,
so the best I've been able to do so far looks like this:

         /  Auto-download?  \
         \     YES/NO       /

    WARNING: this is a security risk.
    More information: <http://deb.li/Q3DL>

I've uploaded 0.8.8-7 to experimental with this change. If you (for
plural values of "you") can improve on this UI or the wording on the
referenced wiki page, please do!

The relevant code change is:
http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=commit;h=eed3e6469

On Tue, 04 Sep 2012 at 21:03:48 +0200, Stefan Potyra wrote:
> Maybe there's another measure to mitigate against some effects of malicious
> downloads: Can access of ioquake3 (and games using it) be restricted
> somehow? (apparmor or selinux comes to my mind, but I must admit that I don't
> have much clue with that).

Not for Debian 7, and not by me, but if someone else wants to
do this for Debian 8, great. (This won't protect anyone who isn't using
the relevant LSM, though.)

    S

Message #30 received at 686648-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 686648-close@bugs.debian.org

Subject: Bug#686648: fixed in openarena 0.8.8-7

Date: Fri, 14 Sep 2012 10:18:43 +0000

Source: openarena
Source-Version: 0.8.8-7

We believe that the bug you reported is fixed in the latest version of
openarena, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated openarena package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 14 Sep 2012 10:35:01 +0100
Source: openarena
Binary: openarena openarena-server openarena-dbg
Architecture: source amd64
Version: 0.8.8-7
Distribution: experimental
Urgency: low
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 openarena  - fast-paced 3D first-person shooter
 openarena-dbg - debug symbols for OpenArena's game logic
 openarena-server - server and game logic for the game OpenArena
Closes: 681812 686648
Changes: 
 openarena (0.8.8-7) experimental; urgency=low
 .
   * Merge from 0.8.8-5+deb7u1
     - Add patch from upstream to fix a client-triggerable server crash.
       Thanks to Poul Sander and Markus Koschany (Closes: #681812)
   * Request confirmation before enabling auto-downloading, which is
     a security risk (Closes: #686648)
Checksums-Sha1: 
 8d1a671ab46e8c7980c91fb453439111027b608b 2162 openarena_0.8.8-7.dsc
 cc2338bcfa20ae4f4a815e675be9f746f40a5ff9 44717 openarena_0.8.8-7.debian.tar.gz
 a5dc9f37be97d03941f5847631920ff68084c863 2446902 openarena_0.8.8-7_amd64.deb
 d95264fef8ba75ac63bfbf6ca9af607680e15b76 2429424 openarena-server_0.8.8-7_amd64.deb
 a5e50cf01b31fd59e80dc6c129db2a77e98bfc92 3714050 openarena-dbg_0.8.8-7_amd64.deb
Checksums-Sha256: 
 6ec6d1b39d9f06e3e10535b5fa9a4c77aef6070c5e017fe9ae1b5686654e9e46 2162 openarena_0.8.8-7.dsc
 8f3fd6f564cfba986f7f83c1a46df22f2aa298ab89e349931d5948325fee25ef 44717 openarena_0.8.8-7.debian.tar.gz
 bd30c4bf180dc3a787045abb702d1505bccc0e8efced101a709fe7fb5d23ed10 2446902 openarena_0.8.8-7_amd64.deb
 87531488d0efb04406e8c5feb30d9cfe38688ae171a1ddd3cb5c0114f726313a 2429424 openarena-server_0.8.8-7_amd64.deb
 e997e9e3cdf4606b0fc44912d6e3337ab6c920484e3cddab74502098dfb723eb 3714050 openarena-dbg_0.8.8-7_amd64.deb
Files: 
 e4df41eb3ad0f6e9cc1989b28af99ad6 2162 games optional openarena_0.8.8-7.dsc
 678bffedb212728b5692e9da086d0d6d 44717 games optional openarena_0.8.8-7.debian.tar.gz
 2198ca1ce3891d617cc36dea2055aa64 2446902 games optional openarena_0.8.8-7_amd64.deb
 b61d2662480a1bdec8fa5ea70f078b24 2429424 games optional openarena-server_0.8.8-7_amd64.deb
 a0d8e2a4c52e2f2a05cdd836fa789320 3714050 debug extra openarena-dbg_0.8.8-7_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUFL8EU3o/ypjx8yQAQh10w/+N6ERsa6lEbniWixpL1rBcUCmuTWl0Wbq
K2L8SFuhPTOU32ojNEL/aqNVj1vwrYpY6iL2X8OyZogUOc6RB9OtuPJ93tgRZWMB
GPiWNuTzjszXKb18VSuVSx6Ob9+7IyLdJSiXxY3ddsMXFa15HeemHRR7FwoXvp+v
IwTnZgj/vIAQAwJQMaKX56Ce1a/b9ggaad9XibMU/8RXdsYaofQsuQ1ByjtM3h8B
rXDYg8te2hV0yqz4XtCPOkiYl6Lj6BWJt2XgeTxHkw5UTC4bFg4++niiIMt+TG90
kX4VJGAcJDsWHey6vcHQR6z2QQz+Zu8b0YoeQRW/n9p/vSvJ9nDj1JUtY+o4nLFl
py4W0yNEKOR061IWhTw4agx9lgrM4bJ18HCB3JJcM2ZcNsICt1sFGn0b6iYHIf7c
OxRIG74L5kkn4/GiG8yHsIEv0kPMqN9+g9V1G9Fa9HsuJPdDMzn3DVa+Gf6yRlkO
cy2BUHO3SCDZ6RVPfw/WxDF5vkoasdwJKIzVsChIiQfll5Lu0htTCvTFrKiVZCst
l+AQFV3YJ+S3WqcN3pvqbyII7ZMeOB8PsdPd1HwsikRlCGnnOWRj/+s8SXGzvgVB
1i6YA1m7u54+xYEFRQWzdeDqNu+xgNQwItYc6lgDJFPyEIS13WBdF7J/pu4B0m/k
kPIzYOavVeU=
=AM5j
-----END PGP SIGNATURE-----

Message #35 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: debian-devel-games@lists.debian.org, 686648@bugs.debian.org

Cc: Stefan Potyra <sistpoty@ubuntu.com>, Fabian Greffrath <fabian@greffrath.com>

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Fri, 14 Sep 2012 21:38:50 +0200

[Message part 1 (text/plain, inline)]

On Fri, 14. Sep 10:47 Simon McVittie <smcv@debian.org> wrote:
[snip]
> It's a pity there isn't a distinction between executable and non-executable
> game content - if you could auto-download PK3s, but those PK3s were flagged
> as "not to be searched for QVMs" somehow, then everything would be secure -
> but there isn't, and realistically, this isn't going to change before
> wheezy.

I agree. I think this should be a feature request for upstream but is
nothing someone can change in Debian.

[snip]

> > For example Ubuntu players are playing with version 0.8.5 at the moment
> > and my Debian server is running 0.8.8. If cl_allowDownload was
> > permanently disabled all players which run an older version wouldn't be
> > able to join my server although they only had to download the
> > pak6-patch088.pk3.
> 
> As far as I can see, my proposal would not break this. Auto-downloading is
> possible if the server has sv_allowDownload true and the client has
> cl_allowDownload true: my proposal was to knock out cl_allowDownload, but
> leave sv_allowDownload working. Older clients could still download your
> pak6-patch088.pk3, but Debian clients on a future 0.9.0 server would not
> auto-download.

True. I already had future clients in mind. I wanted to express that, if
we had had a similar situation like today, then the players would have been
unable to download the pk3 file.

[snip]
 
>          /  Auto-download?  \
>          \     YES/NO       /
> 
>     WARNING: this is a security risk.
>     More information: <http://deb.li/Q3DL>
> 
> I've uploaded 0.8.8-7 to experimental with this change. If you (for
> plural values of "you") can improve on this UI or the wording on the
> referenced wiki page, please do!

I took the liberty to download the experimental version and i think the
solution is good. The only thing i noticed was, that if cl_allowDownload
was already set to 1 the warning wouldn't be visible, no matter how many
times you switch between enabled and disabled. You have to restart
OpenArena with auto-downloading set to 0 first and then the warning
appears every time you switch between 0 to 1. Anyway i guess it's not a big
deal because the warning is meant for new players.

The wiki page entry was to the point. I added a german translation, too.

Regards
Markus

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>

To: Markus Koschany <apo@gambaru.de>

Cc: debian-devel-games@lists.debian.org, 686648@bugs.debian.org, Stefan Potyra <sistpoty@ubuntu.com>

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Mon, 24 Sep 2012 09:31:52 +0200

Am 14.09.2012 21:38, schrieb Markus Koschany:
> I took the liberty to download the experimental version and i think the
> solution is good. The only thing i noticed was, that if cl_allowDownload
> was already set to 1 the warning wouldn't be visible, no matter how many
> times you switch between enabled and disabled. You have to restart
> OpenArena with auto-downloading set to 0 first and then the warning
> appears every time you switch between 0 to 1. Anyway i guess it's not a big
> deal because the warning is meant for new players.

Is this intended or an oversight?

I think it makes sense to always show the warning, regardless of the 
initial state of cl_allowDownload.

 - Fabian

Message #45 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Fabian Greffrath <fabian@greffrath.com>, 686648@bugs.debian.org

Cc: Markus Koschany <apo@gambaru.de>, debian-devel-games@lists.debian.org, Stefan Potyra <sistpoty@ubuntu.com>

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Mon, 24 Sep 2012 08:52:22 +0100

On 24/09/12 08:31, Fabian Greffrath wrote:
> Am 14.09.2012 21:38, schrieb Markus Koschany:
>> if cl_allowDownload
>> was already set to 1 the warning wouldn't be visible, no matter how many
>> times you switch between enabled and disabled. You have to restart
>> OpenArena with auto-downloading set to 0 first and then the warning
>> appears every time you switch between 0 to 1.

> Is this intended or an oversight?

Not intentional, patches welcome.

Sorry, I'm not necessarily going to be able to keep chasing this; if
someone else from the Games Team could take responsibility for polishing
this change and getting it past the release team, I'd appreciate it.

    S

Message #50 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>

To: Simon McVittie <smcv@debian.org>

Cc: 686648@bugs.debian.org, Markus Koschany <apo@gambaru.de>, debian-devel-games@lists.debian.org, Stefan Potyra <sistpoty@ubuntu.com>

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Tue, 25 Sep 2012 09:56:46 +0200

Am 24.09.2012 09:52, schrieb Simon McVittie:
> Not intentional, patches welcome.

I could not even reproduce this.

When I start the game with an empty ~/.openarena and switch "Automatic 
Downloading" from "off" to "on", the warning appears.

Then I exit the game and restart it. "Automatic Downloading" is still 
set "on", and when I set it back "off" and then "on" again, the 
warning appears again -- just as expected.

 - Fabian

Message #55 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: Fabian Greffrath <fabian@greffrath.com>

Cc: Simon McVittie <smcv@debian.org>, 686648@bugs.debian.org, debian-devel-games@lists.debian.org, Stefan Potyra <sistpoty@ubuntu.com>

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Tue, 25 Sep 2012 14:44:21 +0200

[Message part 1 (text/plain, inline)]

On Tue, 25. Sep 09:56 Fabian Greffrath <fabian@greffrath.com> wrote:
> Am 24.09.2012 09:52, schrieb Simon McVittie:
> >Not intentional, patches welcome.
> 
> I could not even reproduce this.
> 
> When I start the game with an empty ~/.openarena and switch
> "Automatic Downloading" from "off" to "on", the warning appears.
> 
> Then I exit the game and restart it. "Automatic Downloading" is
> still set "on", and when I set it back "off" and then "on" again,
> the warning appears again -- just as expected.
> 
Indeed it isn't reproducible with a clean installation of OpenArena.
You have to connect to a heavily modded server like Gem's InstaGib
server. After that you can see the difference.

Regards
Markus

[signature.asc (application/pgp-signature, inline)]

Message #60 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Markus Koschany <apo@gambaru.de>

Cc: Fabian Greffrath <fabian@greffrath.com>, 686648@bugs.debian.org, debian-devel-games@lists.debian.org, Stefan Potyra <sistpoty@ubuntu.com>

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Tue, 25 Sep 2012 15:53:47 +0100

On 25/09/12 13:44, Markus Koschany wrote:
> Indeed it isn't reproducible with a clean installation of
> OpenArena. You have to connect to a heavily modded server like
> Gem's InstaGib server.

Playing on a modded server with auto-download turned on can replace
the UI with arbitrary bytecode - for instance, a UI based on the
upstream OpenArena release, which will consequently no longer have the
"are you sure you want to shoot yourself in the foot?" prompt. If
that's what's happening here, then there's no way to fix it.

    S

Message #65 received at 686648@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: Simon McVittie <smcv@debian.org>

Cc: Fabian Greffrath <fabian@greffrath.com>, 686648@bugs.debian.org, debian-devel-games@lists.debian.org, Stefan Potyra <sistpoty@ubuntu.com>

Subject: Re: Bug#686648: ioquake3: consider disallowing auto-downloading in wheezy

Date: Tue, 25 Sep 2012 17:42:56 +0200

[Message part 1 (text/plain, inline)]

On Tue, 25. Sep 15:53 Simon McVittie <smcv@debian.org> wrote:
> On 25/09/12 13:44, Markus Koschany wrote:
> > Indeed it isn't reproducible with a clean installation of
> > OpenArena. You have to connect to a heavily modded server like
> > Gem's InstaGib server.
> 
> Playing on a modded server with auto-download turned on can replace
> the UI with arbitrary bytecode - for instance, a UI based on the
> upstream OpenArena release, which will consequently no longer have the
> "are you sure you want to shoot yourself in the foot?" prompt. If
> that's what's happening here, then there's no way to fix it.
> 

I think that's exactly what's happening here. The whole
pak6-patch088.pk3 file gets also downloaded again. Sounds like wontfix.

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 686648-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 686648-close@bugs.debian.org

Subject: Bug#686648: fixed in openarena 0.8.8-5+deb7u2

Date: Fri, 07 Dec 2012 10:02:59 +0000

Source: openarena
Source-Version: 0.8.8-5+deb7u2

We believe that the bug you reported is fixed in the latest version of
openarena, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated openarena package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 07 Dec 2012 09:40:17 +0000
Source: openarena
Binary: openarena openarena-server openarena-dbg
Architecture: source amd64
Version: 0.8.8-5+deb7u2
Distribution: unstable
Urgency: low
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 openarena  - fast-paced 3D first-person shooter
 openarena-dbg - debug symbols for OpenArena's game logic
 openarena-server - server and game logic for the game OpenArena
Closes: 686648 695334
Changes: 
 openarena (0.8.8-5+deb7u2) unstable; urgency=low
 .
   * Request confirmation before enabling auto-downloading, which is
     a security risk (Closes: #686648)
   * Switch /usr/share/doc/openarena-dbg from a symlink to openarena-server
     to a real directory. Using the symlink requires it to depend on
     openarena-server, which is undesirable, because since 0.8.8-1 that
     package has contained an init script which is enabled by default.
   * As a result, openarena-dbg no longer depends on openarena-server
     (Closes: #695334)
Checksums-Sha1: 
 047a326f32a07e9fc2ba1ab61c3c797bf791186f 2162 openarena_0.8.8-5+deb7u2.dsc
 b8f86b2b35f8f4587470e8327557fa9aa33d076b 44531 openarena_0.8.8-5+deb7u2.debian.tar.gz
 816cc310b36a53ad5e1a0645bd72030acfe0afa0 2446906 openarena_0.8.8-5+deb7u2_amd64.deb
 9abe3590ad5b3e78c01c26279083c82b2fe36678 2429452 openarena-server_0.8.8-5+deb7u2_amd64.deb
 8a63cc46369fcb7213c22569175959538c4b4aa8 3722108 openarena-dbg_0.8.8-5+deb7u2_amd64.deb
Checksums-Sha256: 
 a54d54d043b7142ce19c3f1153249a953cbceb852b869c7a76e52ed24524ae00 2162 openarena_0.8.8-5+deb7u2.dsc
 17719ce45335342dc5a6c9ea8a89822f60bdd9f9a673f2c4ff5afef0bf8ac218 44531 openarena_0.8.8-5+deb7u2.debian.tar.gz
 b63297a73952f4e10d363b5d4fdc3564e4e48330a5e4f8f8213abaff307bbc27 2446906 openarena_0.8.8-5+deb7u2_amd64.deb
 ca81528755b2babab2343aead59bf4d99b63be9b2040c2b0e1b886cca0c2d79b 2429452 openarena-server_0.8.8-5+deb7u2_amd64.deb
 90b528fdf605310ecd563a231416f537c7e0d8a1b167cbfa959571d35e86eaae 3722108 openarena-dbg_0.8.8-5+deb7u2_amd64.deb
Files: 
 3ee87ba67b7283c25434def2e4c43d2a 2162 games optional openarena_0.8.8-5+deb7u2.dsc
 6b9d33f3a1f280345c1c5e16214cab40 44531 games optional openarena_0.8.8-5+deb7u2.debian.tar.gz
 f71cb54cf8809fa79481c7f3b14a19c9 2446906 games optional openarena_0.8.8-5+deb7u2_amd64.deb
 dff69ac3401aaa4737aff837f2d5e456 2429452 games optional openarena-server_0.8.8-5+deb7u2_amd64.deb
 ef2389516bc9b46a913e0ea62081b737 3722108 debug extra openarena-dbg_0.8.8-5+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUMG9bE3o/ypjx8yQAQjN0A//YbMdm38liFHy9Sxzfy2jSQQW9RfxO+w6
rJtmJb454HDsvPpdky+drSya49MNr0kheCygPDO5xvBrx0qzM0oxMQgp7k8ybf7C
8f46wakvAnetBuM6PKP5H0K56Ro9iRl/JSUuknd4/s+1MonjHO+DTLs4UV9NxiuI
kYmDMn5VNg7Vj+igkmFE1S5EoLAf5pKH/41ReFX6Q1mf5nH3kOH0K8rqyQOt+z2B
NxlcMun19TwmSQb+pNXN+2zButrlzzF9LQXcW8/SF6hTG/l0Npr6HVpvZvrHf3eA
zei6utEhxSom8VSXVKoaNZByd/jr/1OOUpjOxIXXK3xyVsPfjxZocn4+dCcZRd5W
r3u9eoi93Bhx7ImYtxekRBbSh+/5rj/RFEbhmOrrF6eIx5Sc69/VpbbdQ3AYnrOk
PzhBGRXgpBudpranN1A922JXZM/usEH/oAeY7DtcyHurmoSdyi4bAWx79gmWFMAw
rjwW+LJw3CnUxOw65M6WGD1myElXUlPAwBkFLVm9w25Q7sq9vYIT/SOjpqMJAJQ7
IxKXNx8QPLWqFVslfFURCXp62IXYGpbXCSRwGeSBz52Rly4PKalULo3aUuCu8Ir6
nLEJWdiya1bM2S88TWd4f3NAH/29inqC361E1UUlSEoyFs0TaCwKcAiv4iaONR7C
mXT92GE3kik=
=DrQ3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.