Posted on

Help Wanted

Last month I wrote about an important security update, and we were lucky that the news was spread far and wide but many players still didn’t see it.

Even if they read the news, and they updated to the latest build of ioquake3, they wouldn’t have caught the follow-up security commits to the code repository unless they downloaded another test build more recently.

We have a serious issue getting people on the latest code because our installers and DMGs are 8 years old and designed for a time when the only way to get Quake 3 was on a disc.

That’s changed, the only good way to get Quake 3 today is on Steam or gog. You can probably find old discs on ebay, but I wouldn’t bother when you can get digital bits delivered instantly. There are huge caveats to those digital platforms, #1 for us is that if you’re on macOS or Linux it is not at all straightforward to get the data from Steam or gog.

If we had a standalone baseq3 replacement of our own, that would not be as big of an issue.

Even if we had installers that were modernized, our binaries aren’t code signed and so players on macOS and Windows receive warnings and their operating systems prevent our code from being executed. We need help resolving that issue from someone who is more familiar with the code signing process.

Even if our binaries were code-signed, we don’t have any way for players to get the latest binaries automatically. This has become the new normal for games delivered via Steam and standalone mechanism’s like the one Blizzard uses for their games. Even web browsers like Firefox and Chrome have been doing this for years. Networked software needs security updates, and we can’t get it to players without an auto-update mechanism.

Here again I will make the caveat that it would be possible for ioquake3 to be on Steam if only we had a standalone game, even a minimal one, for players to play when they don’t own Quake 3.

Around this time last year I wrote a post about an issue when the id master server was down, because id (thankfully) was able to bring their master server online we did not get a fix implemented and committed to our git repo. This means that exceptionally long-running Quake 3 servers might still be reporting to the wrong ioquake3 master server, and if id has ever changed their master ip address it could be wrong for those servers as well. It also means that the in-game Quake 3 server browser still only receives servers from id’s master.

When security issues, and others like the id master server downtime, occur, it would be amazing if we could also announce that they are already resolved for players on our auto-update system instead of having to post blog posts and hope that people update before their computers are compromised.

We need to deliver updated code automatically to everyone, and make it as easy as possible to play Quake 3, mods, and games built on this engine. We need a project manager to help get our launcher project going again and developers to work on adding an auto-update mechanism to it.

This project, ioquake3, is entirely volunteer-driven. We receive no grants of time or money from any corporation except for the wonderful discourse forum donated from the Discourse enterprise. We spend more money on hosting ioquake3 and its servers than it gets in donations.

We can’t move one step without volunteer contributions from the community of players and developers who love Quake 3 and the projects that have been built off of the source code. It’s only with those contributions that we have been able to develop ioquake3 for the past 12(!) years.

While there wouldn’t be an ioquake3 project without the code, the contributions we need now are in recognition of the mature status this codebase has reached.

We need help from build and release engineers to update and maintain our installation process for Windows, macOS, and Linux.

We need help from people who love writing documentation to help players, game makers, and systems administrators get started with ioquake3.

We need help from people to create art, sounds, maps, and menus for a small stand-in for baseq3 when people don’t own Quake 3: Arena but want to use this incredible code to get some frags in or to get started making a game.

We need help from anyone who loves the quality assurance process to go through our bug queues on Bugzilla & Github in order to triage and duplicate those issues to confirm their continued threat and eradicate them. Testing is part of quality assurance and testing means playing Quake 3, who wouldn’t want to do that?

We need help from people who want to help other players on our forums, live chat on our Discord server, and on our Facebook page.

We need to make ioquake3 the best and easiest way to play Quake 3 on Windows, Mac, and Linux, develop new games, and play mods. This is your opportunity to contribute to an incredible free software project that needs your help. Get involved.

Posted on

Important Security Update: Please Update ioquake3 Immediately

Please immediately update ioquake3 to the latest test build before you connect to any online servers. Despite the name, the test builds are in fact way more stable and secure than any release at this time.

In doing so you’ll also receive access to all kinds of other updates and changes that we’ve made since you last installed ioquake3.

Here’s the why:

We recently pushed  a large security fix that prevents malicious actions from multiplayer servers.

Please share this news with any other Quake 3 players you know. It’s on Facebook and Twitter as well. These kinds of exploits are even worse in the regular Quake 3 client, nobody should be using that anymore.

Our Player’s Guide can help new Quake 3 players get started with ioquake3.

Ideally, we would distribute these security fixes automatically, similar to the way browsers like Chrome and Firefox distribute updates. Games on consoles, or in Steam, require updates in order to go online and happen automatically now. This way, we could distribute an update first so that nobody who is online is vulnerable in an ideal scenario.

Right now we don’t have anyone working on that issue, if you are interested in helping us with an auto-update system to be built into our launcher, get in touch.

Until then, please update your test build as often as you can to get the latest security changes.

ioquake3 is an all-volunteer project that needs your help. Check out this page if you’d like to join us in our mission to keep Quake 3 alive.

Our thanks to Victor Roemer for reporting the vulnerability.

If you find a security vulnerability, please e-mail zachary@ioquake.org.

Posted on

Discourse Made Our Forums Great Again

A screenshot of our discourse forums

The subdomain to access the forums has changed from community.ioquake.org to discourse.ioquake.org. Please update your bookmarks and note that you might see some error messages in your browser during the transition if you visit the old URL. We’re still working out the best method to redirect old traffic to the new site.

Here’s why:

Back in 2013 we moved our forums to the new open source forum software on the block, Discourse.

It has been easier to maintain these forums than our old ones which used phpbb 3. With phpbb we got so much spam that we had to routinely shut down registration, manually approve users, and resort to bringing new moderators on board to team up for spam account deletion parties.

With Discourse, we get so much less spam, practically none in the almost 3 years since we switched.

Discourse forums are also much easier to read on modern browsers and mobile devices. It’s a flat design that doesn’t overwhelm new users with categories at first glance. Replies can be in the topic or you can create a new topic if you don’t want to derail the current one. Topics update in real-time so you are less likely to post the same thing as somebody else. Replies to an individual post can be read without losing your place in the topic.

The news today is that we’re in the process of moving from our self-hosted installation to Discourse’s official hosting. It took just a few moments to pull the levers to upload our backup from the old forums and switch. The forums should be more reliable, faster to access, and despite the transition we have retained all of the posts on the forums since we moved to Discourse in 2013. We are extremely thankful to the Discourse team for providing this service to our project as well as other open source projects.

If you have any questions, issues, or just want to chat post to the forum or feel free to email me directly zachary@ioquake.org. We’re also on twitter where you can ping me or the ioquake3 project.

Posted on

The id Master Server is Back Online (Updated)

Update: the id master server is back online, the in-game server browser is working again. We will continue to look for a way to work around it in the event of future extended downtime. Our original post appears below.

Master server If you’ve tried to play multiplayer Quake 3 using the original id Quake 3 binaries or ioquake3 in the past few months you might have had a difficult time finding a game with the built-in Server Browser. You would have seen the error message in the screenshot above:

No Response From Master Server

The master server is what game servers that you play on talk to, in order to communicate their availability to your copy of Quake 3: Arena.

Since at least March 11th the official Quake 3: Arena master server offered by id software at master.quake3arena.com has been offline and that is why there is an error displayed instead of a list of servers.

We operate a master server at master.ioquake3.org that has been up for years, and fortunately servers using ioquake3 are still reporting in to it, but there isn’t a quick fix for the in-game server browser at the moment. We have repeatedly reached out to id software to notify them of the issue, suggesting resolutions for it, and received no response.

You can watch for the resolution of this issue on Gibhub, but even when we resolve the issue for ioquake3 players, people using the original id binaries will be out of luck unless they switch to ioquake3 or id software brings their server back online.

There are third-party server browsers such as Qtracker and XQF will continue to work if directed to our master server.

Our Quake 3 server is still online and you can connect to manually by typing /connect phobos.ioquake3.org in the console. This same methods works for connecting to other servers when you know their address.

Posted on

ioquake3 on OS X El Capitan & Windows 10

El cap win 10

Two major updates have come to desktop and laptop computing recently. OS X 10.11 El Capitan and Windows 10. Big news for users of each platform, and we’re excited that ioquake3 continues to work with both platforms for players updated to the latest build.

Check out our Players Guide and Sysadmin Guide, or just go ahead to the test builds, to get started with playing ioquake3 or running a server today!

If you run into any issues with either this new operating systems or old ones, let us know on our community forums. Thanks to our community of contributors for helping us keep Quake III, mods, and new games going for TEN YEARS now, wow. That is a lot of fragging!

Posted on

ioquake3… in Docker?!

The folks from the open platform for building, shipping, and running distributed applications called Docker demonstrated a containerized version of ioquake3 at Dockercon. Not just the server, but also the client. Docker’s Arnaud “icecrime” Porterie even called ioquake3 “The best game ever” in their dockerfile description. I don’t think I could be more proud. They were already my favorite container project when I started using Docker for our Discourse forum installation.

Posted on

ioquake3 updated to SDL 2

If you’ve been following along via github, twitter, facebook, and our new discourse-powered forums, you might have noticed that we’ve been working on updating ioquake3 to Simple DirectMedia Layer (SDL) version 2. SDL 2 is already in use in lots of games, and we’ve been using it internally for over a year now, which is why we felt that it was finally appropriate to bid farewell to SDL 1.2.

The SDL upgrade won’t make a huge difference to the experience of playing Quake 3 and the assorted games that have been built with this engine, but if you’ve got a copy of Q3A please try out the new test builds. Your testing will give us a chance to see if everything checks out OK on more systems than the ones we have access to.

Once in-game you can /connect to our new test server at phobos.ioquake.org

Please report any issues you find with the test builds on the forums, in IRC, or on bugzilla.

Posted on

Test Builds are Back!

If you’ve been waiting to try out the latest features like the new renderer from our github, you don’t have to wait any longer. We’ve got our test builds page back online and updated with the latest builds from our continuous integration systems.

These builds aren’t tested, but you can file bugs against them on our bug tracker and let us know how they work out for you on our forums.

Go frag somebody today.

Posted on

Continuous Integration with Travis

Ghost of shame

It’s been a long time since I last wrote about any kind of testing, and one of the most basic forms is making sure your build compiles as a step of continuous integration.

This has been added to ioquake3’s github with the Travis service.

What this means is that every time one of your friendly neighborhood ioquake3 team members makes a commit, travis will pull down a copy of the codebase from github to a fresh virtual machine, read our instructions, and follow them to compile our codebase with a script that we’ve created.

If the build succeeds, great!

If the build fails, then, oh no! Somebody screwed up and let me write code again. A bot is dispatched by travis to our irc chat compound (irc.freenode.net #ioquake3) to let us know and will let everyone know which commit broke the build. The author will then receive the depicted ghost of shame in the mail within 64-128 weeks.

Currently we’re telling Travis to build for mingw (under Linux) and Linux itself with various options and it takes about 14 minutes to complete the operation.

In the future we hope to figure out a way save the builds Travis creates to the ioquake3 website so that we can offer you more expedited builds.

Travis’ website suggests a method that involves Amazon S3 but we are interested in other storage solutions.

Posted on

Happy New Year, ioquake3 and github!

Hi All,

This August will be the 7th Anniversary of ioquake3!
Time flies when you’re fragging fools and breaking builds.
We still haven’t had a release since 2009. Don’t worry, we still have another 365 days to go until it has been 5 years since a release!
The real reason for this post is that I wanted to tell you all that we’re moving the project to github.
There is a new organization there, called ioquake.
But most importantly there is a project there that you can clone, fork, and send pull requests.
Bugzilla and other things hosted on icculus.org will keep going, but the SVN repository is now deprecated and I don’t know if it will remain online or not. If possible, we may set up a thing to automatically slurp in changes from the github project.
ioquake3.org itself is not going anywhere
Thank you to everyone who has contributed and played ioquake3 since the project started on August 20th, 2005!

Make sure to join us on server.ioquake3.org for some baseq3 fragging when you get a chance!

Here are your top-ten all-time contributors, by number of commits:

  1. Thilo Schulz
  2. Tim Angus
  3. Ludwig Nussel
  4. Zack Middleton
  5. Ryan C. Gordon (he beat me by 3 commits!)
  6. Zachary J. Slater
  7. Tony J. White
  8. Aaron Gyes
  9. James Canete
  10. Coyote

If you have any questions or suggestions let me know in the comments here, on our freenode irc channel #ioquake3, or on our twitter account and facebook page.

Continue reading “Happy New Year, ioquake3 and github!”

Posted on

ioquake3 and OS X Mountain Lion

10imac27 photo

The latest version of OS X, Mountain Lion has been available for a little while and we have now confirmed that ioquake3’s latest SVN (revision 2306) compiles and runs smoothly on it.

If you already have ioquake3 installed on your intel Mac running 10.6 or greater please try a test build:

It should run fine under Mountain Lion, if you have Gatekeeper enabled with the default setting you will have to right click and then select Open on the .app.

Please let us know if it works well for you.

Posted on

Quake 3 Source Code Review by Fabian Sanglard

Fabian Sanglard:

I was particularly impressed by :

  • The virtual machines system and the associated toolchain that altogether account for 30% of the code released. Under this perspective idTech3 is a mini operating system providing system calls to three processes.
  • The elegant network system based on snapshots and memory introspection.

Check out his entire code review here.

Posted on

CVE-2012-3345 symlink attack in ioquake3 >= r1773

Background
==========
 
ioquake3 [IOQ] is a fork of the Quake III Arena (id Tech 3) game engine,
and has become the de facto upstream for that engine since id Software
ceased to develop it. It is also used (unmodified, modified or forked)
in various open-source and proprietary games including OpenArena [OA],
Reaction [REA], Smokin’ Guns [SGN], Tremulous [TREM], Turtle Arena [TA],
Urban Terror [URT] and World of Padman [WOP].
 
Vulnerability
=============
 
Access vector: local
Authentication required: local system
Impact: overwrite a file owned by the victim with a predictable integer
 
Since svn revision 1773, ioquake3 has written its process ID to the file
/tmp/ioq3.pid (or ioq3.pid in a world-writeable location) under the
following circumstances:
 
* running on non-Mac Unix and TMPDIR not set, or set to a
world-writeable location; or
* running on Mac OS and FSFindFolder() for a temporary directory fails
or returns a world-writeable location
 
On a multi-user system, an attacker could create a symbolic link
/tmp/ioq3.pid pointing to any file owned by a user who plays an
ioquake3-based game. When the victim runs ioquake3, the target file will
be overwritten and replaced with the process ID of ioquake3.
 
The effect of this attack depends on the file being overwritten: it
could be simple vandalism (destroy one of the victim’s files), or it
could have further security implications if knowledge of the contents of
a target file is used for authentication (in a system similar to
pam_dotfile [DOT], for instance).
 
For the dedicated server, the process ID is written to ioq3_server.pid,
but the attack is essentially the same. For forks of ioquake3, the
filename will typically include the name of the fork, e.g. openarena.pid.
 
Affected versions
=================
 
* ioquake3 >= svn r1773
* ioquake3 < svn r2253
* OpenArena 0.8.8
* Reaction beta 1.0
* Smokin’ Guns 1.1
* Tremulous “trunk” >= svn r2125
* Tremulous “gpp” >= svn r2140
* Turtle Arena >= svn r204 (all releases named Turtle Arena)
* World of Padman >= 1.5.2 beta
 
Unaffected versions
===================
 
* ioquake3 1.36
* ioquake3 <= svn r1772
* ioquake3 >= svn r2253
* OpenArena <= 0.8.5
* Smokin’ Guns <= 1.1b4
* Tremulous “trunk” <= svn r2124
* Tremulous “gpp” <= svn r2139
* Tremulous GPP1
* Tremulous <= 1.1.0
* Turtle Arena <= svn r203
* TMNT Arena 20091211 (former name of Turtle Arena)
* ioUrbanTerror 2007-12-20 client
* ioUrbanTerror 2007-12-20 server
* World of Padman <= 1.5.0
 
Solution
========
 
The attached patches have been reviewed by two ioquake3 maintainers.
Please apply them to affected versions on or after the embargo date.
 
Patch 0001 fixes the vulnerability by writing the pid file into the
ioquake3 user’s home directory (e.g. ~/.q3a/ioq3.pid for an unmodified
engine with default configuration) instead of the temporary directory.
 
Patch 0002 is recommended, but not strictly necessary to fix the
vulnerability. It removes the functions to get the temporary directory,
as a precaution against other unsafe uses.
 
 
References
==========
 
Posted on

Calling all content creators!

Work has started on “baseio“, a project to create a small game to include with the ioquake3 engine download with Creative Commons licensed content. Work has already been started on textures, weapon models, and a player model, but there is still much to be done. Animations, mapping, and audio are most needed, but if there’s anything you can contribute, join the discussion. Any content contributed must be under a Creative Commons nonccommercial-by-sharealike license. The ioquake3 code base and any contributed code will remain GPL. We also need some people who have lead mods before since we’ve run out of beer so now we’re too sober to know what to do.