package quake2 tags 280573 patch thanks I am not a Debian developer, so I cannot make a NMU. I have made a patch however. Does this help? If you don't have time to apply it, please tell me as soon as possible, then I will try to find someone else to do a NMU. I would really like quake2 to be in sarge.
Cheers, Stefan
diff -urN quake2-0.3/debian/changelog quake2-0.3.n/debian/changelog --- quake2-0.3/debian/changelog 2005-01-23 13:37:26.000000000 +0100 +++ quake2-0.3.n/debian/changelog 2005-01-23 13:27:38.000000000 +0100 @@ -1,3 +1,12 @@ +quake2 (1:0.3-2) unstable; urgency=high + + *** Change by Stefan Fritsch <[EMAIL PROTECTED]> + + * Add warnings about security problems + (allows downgrading of RC bug #280573) + + -- Jamie Wilkinson <[EMAIL PROTECTED]> Sun, 23 Jan 2005 12:31:57 +0100 + quake2 (1:0.3-1) unstable; urgency=low * The "I bought my laptop for this bug" release. diff -urN quake2-0.3/debian/control quake2-0.3.n/debian/control --- quake2-0.3/debian/control 2005-01-23 13:37:26.000000000 +0100 +++ quake2-0.3.n/debian/control 2005-01-23 13:27:38.000000000 +0100 @@ -21,3 +21,6 @@ . This game currently supports software rendering with X11, SDL, or SVGAlib, or hardware accelerated rendering with OpenGL (directly or via SDL). + . + NOTE: The network part of Quake II has several unfixed security problems. + It should not be used in untrusted networks. diff -urN quake2-0.3/debian/NEWS quake2-0.3.n/debian/NEWS --- quake2-0.3/debian/NEWS 1970-01-01 01:00:00.000000000 +0100 +++ quake2-0.3.n/debian/NEWS 2005-01-23 13:27:38.000000000 +0100 @@ -0,0 +1,14 @@ +quake2 (1:0.3-2) unstable; urgency=high + + The network part of Quake II (especially the server part) contains + several unfixed security issues. Therefore, Quake II should not be + used over untrusted networks (like the internet). The version + included in Debian is intended only for local play. + + See [1] for details. A (hopefully) secure version of the server is + available at [2]. + + [1] http://archives.neohapsis.com/archives/bugtraq/2004-10/0299.html + [2] http://www.r1ch.net/stuff/r1q2/ + + -- Jamie Wilkinson <[EMAIL PROTECTED]> Sun, 23 Jan 2005 12:31:57 +0100 diff -urN quake2-0.3/debian/quake2.6 quake2-0.3.n/debian/quake2.6 --- quake2-0.3/debian/quake2.6 2005-01-23 13:37:26.000000000 +0100 +++ quake2-0.3.n/debian/quake2.6 2005-01-23 13:27:38.000000000 +0100 @@ -12,6 +12,9 @@ .br This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page. +.sp 1 +\fBWARNING:\fP The network part of Quake 2 has several unfixed security +problems. You should not use Quake 2 in untrusted networks. .PP .\" TeX users may be more comfortable with the \fB<whatever>\fP and .\" \fI<whatever>\fP escape sequences to invode bold face and italics, @@ -63,6 +66,9 @@ The model viewer in Multiplayer->player setup displays the skins incorrectly. .sp 1 If you upgrade this package, your savegames will not work, due to the way savegames are made. +.sp 1 +There are several unfixed security issues in the network code. Do not use in +untrusted networks. .SH AUTHOR .B quake2 was originally written by iD Software. diff -urN quake2-0.3/debian/rules quake2-0.3.n/debian/rules --- quake2-0.3/debian/rules 2005-01-23 13:37:26.000000000 +0100 +++ quake2-0.3.n/debian/rules 2005-01-23 13:27:38.000000000 +0100 @@ -58,6 +58,8 @@ $(MAKE) install DESTDIR=$(CURDIR)/debian/quake2 install -p -m 644 debian/quake2.xpm debian/quake2/usr/share/pixmaps/ install -p -m 644 debian/quake2ctf.xpm debian/quake2/usr/share/pixmaps/ + mv debian/quake2/usr/games/quake2 debian/quake2/usr/games/quake2.real + install -p quake2.wrapper debian/quake2/usr/games/quake2 # Build architecture-independent files here. # Pass -i to all debhelper commands in this target to reduce clutter. diff -urN quake2-0.3/quake2.wrapper quake2-0.3.n/quake2.wrapper --- quake2-0.3/quake2.wrapper 1970-01-01 01:00:00.000000000 +0100 +++ quake2-0.3.n/quake2.wrapper 2005-01-23 13:27:38.000000000 +0100 @@ -0,0 +1,10 @@ +#!/bin/bash +cat <<_EOF_ +***** WARNING ***** + The network part of Quake II (especially the server part) contains + several unfixed security issues. Therefore, Quake II should not be + used over untrusted networks (like the internet). The version + included in Debian is intended only for local play. +******************* +_EOF_ +/usr/games/quake2.real "$@"