Important Security Update: Please Update ioquake3 Immediately

Please immediately update ioquake3 to the latest test build before you connect to any online servers. Despite the name, the test builds are in fact way more stable and secure than any release at this time.

In doing so you’ll also receive access to all kinds of other updates and changes that we’ve made since you last installed ioquake3.

Here’s the why:

We recently pushed  a large security fix that prevents malicious actions from multiplayer servers.

Please share this news with any other Quake 3 players you know. It’s on Facebook and Twitter as well. These kinds of exploits are even worse in the regular Quake 3 client, nobody should be using that anymore.

Our Player’s Guide can help new Quake 3 players get started with ioquake3.

Ideally, we would distribute these security fixes automatically, similar to the way browsers like Chrome and Firefox distribute updates. Games on consoles, or in Steam, require updates in order to go online and happen automatically now. This way, we could distribute an update first so that nobody who is online is vulnerable in an ideal scenario.

Right now we don’t have anyone working on that issue, if you are interested in helping us with an auto-update system to be built into our launcher, get in touch.

Until then, please update your test build as often as you can to get the latest security changes.

ioquake3 is an all-volunteer project that needs your help. Check out this page if you’d like to join us in our mission to keep Quake 3 alive.

Our thanks to Victor Roemer for reporting the vulnerability.

If you find a security vulnerability, please e-mail zachary@ioquake.org.

Notable Replies

  1. The main difference here is testing and age. The OpenGL2 renderer was developed for two years before it was accepted into ioq3 proper, and tested and improved for another four years before it became default renderer. And believe you me, it still has bugs I don't have fixes for.

    Completely removing and renovating the filesystem is a much bigger deal than this. Rushing in a patch like this could introduce subtle bugs that don't crop up until much, much later.

    But let's say your code is perfect, and you're a much better programmer than I am. Ultimately, someone has to maintain it. The OpenGL2 renderer is part of ioquake3 because I maintain it. Who will maintain this filesystem, and also, who will maintain the old one?

    Also, glancing over your fork, if I'm reading it correctly, you've basically taken the functionality of /code/qcommon/files.c and split it up over ten files or so in /code/filesystem/, and then ripped out bits of file management from across the codebase and slipped it into /code/filesystem/fscore/. People complain that my patches change every little file, but you've basically unleashed a spider here. :slight_smile: The original code was written to work with a dumb pipe file system, but your changes introduce extra coupling, tying the renderer to the filesystem for example. Also, correct me if I'm wrong, but I think I saw at least two implementations of a hash table in there.

    Sorry if I'm coming off as a little ranty. I don't mean to discourage contribution, and I'm sure the OpenGL2 renderer changes have done some of what you've done and probably worse. I just don't want to be faced with maintaining an increasingly alien codebase. :slight_smile:

Continue the discussion discourse.ioquake.org

9 more replies

Participants