ioquake3 (1.36+u20140802+gca9eebb-2+deb8u2) jessie-security; urgency=medium * Add patch from upstream: + Address read buffer overflow in MSG_ReadBits (CVE-2017-11721) (Closes: #870725) + Check buffer boundary exactly in MSG_WriteBits, instead of potentially failing with a few bytes still available -- Simon McVittie Sat, 12 Aug 2017 10:15:49 -0400 ioquake3 (1.36+u20140802+gca9eebb-2+deb8u1) jessie-security; urgency=high * d/gbp.conf: switch branch to debian/jessie * d/patches: Add patches from upstream fixing security vulnerabilities - refuse to load potentially auto-downloadable .pk3 files as ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers (mitigation: auto-downloading is off by default, and in Debian we do not dlopen libcurl anyway) - refuse to load default configuration file names from a .pk3 file - protect cl_renderer, cl_curllib, s_aldriver configuration variables so game code cannot set them - refuse to overwrite files other than *.txt with the dump console command - refuse to overwrite files other than *.cfg with the writeconfig console command (Closes: #857699; CVE-2017-6903) -- Simon McVittie Tue, 14 Mar 2017 22:29:41 +0000 ioquake3 (1.36+u20140802+gca9eebb-2) unstable; urgency=medium * Build-depend on libjpeg-dev for jpeg-turbo transition -- Simon McVittie Mon, 29 Sep 2014 19:05:23 +0100 ioquake3 (1.36+u20140802+gca9eebb-1) unstable; urgency=low * New upstream snapshot * debian/patches: stop using numbered patches so there's less diffstat churn when patches are added/removed * Drop patch to check for opus etc. via pkg-config, applied upstream * Drop patch to build for i486 on Debian i386, Debian's i386 gcc now targets i586 anyway * Drop patch to avoid opengl2 for OpenArena, opengl2 now uses internal GLSL resources * Refesh patches (no functional changes) * debian/rules: turn off all removed internal copies of libraries -- Simon McVittie Sun, 17 Aug 2014 22:39:34 +0100 ioquake3 (1.36+u20140319+gb099255-1) unstable; urgency=low * New upstream snapshot -- Simon McVittie Thu, 20 Mar 2014 08:57:43 +0000 ioquake3 (1.36+u20140116+gdde36d9-1) unstable; urgency=low * New upstream snapshot - refresh patches - set renderergl2 default video mode to 640x480, matching renderergl1: user configuration (if any) overrides this - switch opengl2 renderer back to opengl1 when running OpenArena, since OA's GLSL shaders don't seem to be fully compatible with it * Canonicalize Vcs-Git, Vcs-Browser * Standards-Version: 3.9.5 (no changes needed) * Install README.md as upstream README -- Simon McVittie Sat, 18 Jan 2014 17:28:34 +0000 ioquake3 (1.36+u20130504+g42eeb75-2) unstable; urgency=low * Enable Opus support now that #708008 is fixed - add a patch to look for the various Xiph libraries in the locations from pkg-config, since opusfile.h isn't in the default search path -- Simon McVittie Sun, 19 May 2013 23:49:35 +0100 ioquake3 (1.36+u20130504+g42eeb75-1) unstable; urgency=low * Merge from experimental * New upstream snapshot, now coming from git rather than svn - adapt get-orig-source and build system - loadable modules on i386 and alpha are now ...x86.so and ...alpha.so, not ...i386.so and ...axp.so: add a Breaks on openarena versions that don't ship both - refresh patches - drop patches applied upstream: + double number of cvars + double default "hunk" memory + increase command buffer + double maximum number of flares - disable Opus support for now, since Debian's libopusfile is only in experimental, and currently links OpenSSL, which is not GPL-compatible (see #708008) - explicitly disable internal libogg * Adapt the patch for windowed-mode-by-default to apply to both renderer versions -- Simon McVittie Sun, 12 May 2013 17:14:36 +0100 ioquake3 (1.36+svn2287-2) experimental; urgency=low * Adjust gbp.conf for experimental * Compile on Hurd, treating it like Linux and kFreeBSD (patch and testing by Svante Signell, closes: #679330) -- Simon McVittie Thu, 05 Jul 2012 08:57:53 +0100 ioquake3 (1.36+svn2287-1) unstable; urgency=low * New upstream snapshot - reverts a change that caused a 25% framerate loss on the proprietary nVidia driver (Closes: #677647) - drop patches for CVE-2012-3345, applied upstream - drop patches excluding qagame.qvm from checksums, applied upstream * Run in a window by default on new installations (mitigates: #546671) -- Simon McVittie Sat, 23 Jun 2012 00:06:13 +0100 ioquake3 (1.36+svn2224-5) unstable; urgency=medium * Add bug number to the previous upload's changelog * Add CPPFLAGS (which are not followed by ioquake3) to CFLAGS (which are), for better hardening * Report status of libgl1-mesa-dri (indirect recommendation) in bug reports * On any-i386, only emit i486 instructions (we theoretically still support non-586 CPUs), but optimize for a generic modern x86 * On any-i386, don't use -funroll-loops, working around a compiler segfault on these architectures (Closes: #677593) -- Simon McVittie Fri, 15 Jun 2012 09:11:41 +0100 ioquake3 (1.36+svn2224-4) unstable; urgency=high * Fix symlink attack in /tmp by moving pid file into the user-specific directory ~/.q3a, ~/.openarena etc. (CVE-2012-3345, Closes: 677592) * As a precaution, remove Sys_TempPath() altogether, so that any other unsafe usage will fail -- Simon McVittie Wed, 13 Jun 2012 20:13:45 +0100 ioquake3 (1.36+svn2224-3) unstable; urgency=low * Merge from experimental * Back out the patch that changes colour handling in the console: misleading for non-OpenArena, only minor impact for OpenArena * Use default.mk from dpkg-dev >= 1.16.1 -- Simon McVittie Sat, 31 Mar 2012 18:16:20 +0100 ioquake3 (1.36+svn2224-2) experimental; urgency=low * Import some of the changes from OpenArena 0.8.8's engine: - let servers set clients' sv_fps, which is used for movement prediction - remove FS_GamePureChecksum, which is never called - do not include the PK3 file containing qagame.qvm in pure-server checksums unless there is another reason to reference it, to allow server-side-only mods without forcing clients to have them - add support for a 9th colour escape code (^8, "COLOR_MENU", orange) - increase the maximum number of flares from 128 to 256 - add sv_dorestart, which can be set by game code to force a full restart: some game modes in OpenArena can make use of this to avoid some full restarts -- Simon McVittie Sun, 26 Feb 2012 22:37:55 +0000 ioquake3 (1.36+svn2224-1) unstable; urgency=low * New upstream snapshot - transfers com_altivec to renderer (hopefully Closes: #658215) * Standard-Version: 3.9.3 (no changes) * Use debhelper 9 for compressed/build-ID-based debug symbols -- Simon McVittie Thu, 23 Feb 2012 17:41:00 +0000 ioquake3 (1.36+svn2202-1) unstable; urgency=low * Back to unstable * New upstream snapshot * Update description: Debian's openarena now uses this shared engine (Closes: #644577) * Don't install a duplicate copy of ChangeLog.gz, debhelper automatically gives us changelog.gz * Remove a stray non-breaking space from debian/copyright * Don't try to build on non-Linux, non-kFreeBSD - the current code structure only allows specific platforms, and I doubt ioquake3 is useful on Hurd anyway -- Simon McVittie Tue, 29 Nov 2011 20:57:13 +0000 ioquake3 (1.36+svn2139-1) experimental; urgency=low * New upstream snapshot - should compile on non-x86 architectures again -- Simon McVittie Mon, 08 Aug 2011 08:23:48 +0100 ioquake3 (1.36+svn2131-1) experimental; urgency=low * Branch into experimental. This version will not necessarily interoperate fully with the final 1.37 release. * New upstream snapshot - drop security patches, no longer needed - install the new pluggable renderers - update fake-QVM patch for this snapshot - add Breaks for openarena versions that don't set the protocol version as necessary for this engine -- Simon McVittie Thu, 04 Aug 2011 09:05:49 +0100 ioquake3 (1.36+svn1946-5) unstable; urgency=low * Amend previous changelog to include bug numbers, which were not available when the package was prepared before the embargo date * Restore the ability to load replacement shared objects from a subdirectory, fixing symptoms like #620757 on OpenArena pure servers -- Simon McVittie Thu, 04 Aug 2011 09:03:51 +0100 ioquake3 (1.36+svn1946-4) unstable; urgency=high * Apply upstream r2092 to fix failover between xmessage, zenity and kdialog if the preferred implementation is missing, so that r2097 can be applied * Apply upstream r2097 to fix arbitrary code execution by a malicious server. CVE-2011-1412 (Closes: #635731) * Apply upstream r2098 to fix arbitrary code execution by malicious QVM bytecode (mitigation: only if native code is enabled), which could be auto-downloaded from a malicious server if enabled. CVE-2011-2764 (Closes: #635734) -- Simon McVittie Tue, 26 Jul 2011 21:09:53 +0100 ioquake3 (1.36+svn1946-3) unstable; urgency=low * (ioquake3 1.36+svn1946-2 was never in Debian, due to problems with the orig tarball.) * Specifically build-depend on libjpeg8-dev (please revert this after wheezy or when libjpeg breaks ABI again, whichever is sooner) * Drop the patch that allowed compatibility with libjpeg62-dev - we no longer use any of the bundled libjpeg8 in Debian builds (Closes: #623462) * Standards-Version: 3.9.2 (no changes) * Specifically enable pristine-tar in git-buildpackage so we'll produce matching orig tarballs in future, and import the pristine-tar data for this upstream version * q3arch: correctly recognise powerpc-linux-gnuspe (Debian powerpcspe, PowerPC with Signal Processing Extensions) as Linux -- Simon McVittie Sat, 23 Jul 2011 18:42:35 +0100 ioquake3 (1.36+svn1946-1) unstable; urgency=low * New upstream svn snapshot - drop patch 0008, which went upstream as r1934 - fixes crashes when taking JPEG screenshots * Drop patch 0007, which didn't actually fix #607178 * Drop Recommends on openarena|quake3 and the corresponding -server: those are the user-visible packages, and this shared engine is just an implementation detail * Stop the client Suggesting the server, too * Annotate the libjpeg patch with why upstream rejected it * Build-depend on libjpeg-dev instead of libjpeg62-dev, to allow a binNMU for the transition when it eventually happens * Upload to unstable -- Simon McVittie Fri, 29 Apr 2011 16:12:57 +0100 ioquake3 (1.36+svn1933-1) experimental; urgency=low * New upstream svn snapshot - contains a fix for FTBFS on powerpc, hopefully (Closes: #617769) - support merged for system libjpeg; drop the Fedora-originated patch - add a smaller patch to use jpeg_mem_src from the bundled libjpeg 8 with the system libjpeg 6b (a necessary evil for now) * q3arch: extend the armel special case to recognise armhf as Linux too -- Simon McVittie Wed, 16 Mar 2011 21:57:42 +0000 ioquake3 (1.36+svn1921-1) experimental; urgency=low * New upstream svn snapshot - discard patches that were applied or replaced upstream - refresh remaining patches - add patch to compile against OpenAL Soft extension headers * Remove patch 0015 again, breaking obsolete experimental openarena versions (if you're running 0.8.5-5+expX for any X, please upgrade) * Add a potential patch for an OpenArena crash (might close: #607178) -- Simon McVittie Thu, 10 Mar 2011 23:44:48 +0000 ioquake3 (1.36+svn1858-2) unstable; urgency=low * Apply patch from upstream r1919 to avoid Com_StartupVariable marking cvars as user-created, causing them to be reset when joining some servers (Closes: #613692) -- Simon McVittie Thu, 10 Mar 2011 22:49:57 +0000 ioquake3 (1.36+svn1858-1) unstable; urgency=low * New upstream snapshot - discard patches that were applied or replaced upstream - refresh remaining patches - add patch 0015: openarena in experimental relies on being able to set com_standalone 1 on the command line, so bring back that functionality, and copy com_basegame from fs_basegame if used * Replace patch 0014 with Zack Middleton's version from upstream bugzilla, which automatically counts human players, independent of the mod * Bump debhelper compat to 8 now it's (about to be) in stable * Update format of debian/copyright with the help of Config::Model -- Simon McVittie Sat, 05 Feb 2011 22:30:41 +0000 ioquake3 (1.36+svn1802-2+dbg) experimental; urgency=low * Add debug symbols in ioquake3-dbg -- Simon McVittie Sun, 16 Jan 2011 23:25:22 +0000 ioquake3 (1.36+svn1802-2) unstable; urgency=low * Correct patch 0014 so the variables are correctly formatted as strings * Update copyright file to DEP-5 (candidate) format * Remove example scripts to run openarena: openarena in experimental now uses wrapper scripts around this engine, so please use that instead -- Simon McVittie Sun, 16 Jan 2011 23:14:27 +0000 ioquake3 (1.36+svn1802-1) unstable; urgency=low * New upstream svn snapshot - Add patches 0017, 0018: revert r1796, which breaks Team Arena, and apply patch suggested by Zack Middleton instead - Add patch 0019: fix a regression in joining single-player team games * Remove all of build/ in clean; otherwise architectures where uname -m doesn't match the Q3 architecture name won't delete the binaries * Use Q3 arch name "sh" for sh4 * Recommend x11-utils, zenity or kdebase-bin so Sys_Dialog will work * Move get-orig-source functionality into debian/rules * Rename q3arch.sh to q3arch, and install it in ioquake3-server so openarena can build-depend on it -- Simon McVittie Fri, 12 Nov 2010 20:55:11 +0000 ioquake3 (1.36+svn1788j-2) unstable; urgency=low * Add support for arm/armel in q3arch.sh, removing "might not work" warning (q_platform.h does support this CPU) * Make ioquake3-server recommend openarena-server | quake3-server, not their client counterparts * Enhance the example openarena scripts to support --help, --quiet, and running under a debugger * Use the upstream "debug" build target, which doesn't select any particular compiler flags except -O0, if DEB_BUILD_OPTIONS contains "noopt" * Use build/ rather than build/flavour-arch-os/ for both flavours of build (debug and release) * Rename the ioquake3-server man page to ioq3ded to match the binary, and update the man pages -- Simon McVittie Fri, 15 Oct 2010 21:11:14 +0100 ioquake3 (1.36+svn1788j-1) unstable; urgency=low [ Bruno "Fuddl" Kleinert ] * Initial release (Closes: #488803) * Import several patches from Fedora, including: * Use system libjpeg (will close #495966 when openarena uses this engine) * Strip non-free LCC compiler * Strip some of the code copies from .orig.tar.gz: * library binaries * speex * curl [ Simon McVittie ] * Update to a svn snapshot of ioquake3 * Import patches from Debian openarena packaging: * fix build and resulting binary on Alpha (vorlon) * load native-code game logic (smcv) * fix spelling errors (ansgar) * fix FTBFS on kFreeBSD (KiBi) * Import patches loosely based on OpenArena upstream patches: * clip cl_mouseAccelOffset at 0.0001 to avoid division by zero * increase some arbitrary limits * put g_humanplayers and g_needpass in server info * Add some new patches to let us run OpenArena with this engine: * don't require Quake 3's pak0.pk3 in standalone mode * allow apparent protocol version to be changed on the command line * Add example scripts to use this engine to play OpenArena * Move the installed binaries off the $PATH, since they're of little use on their own (this package mainly exists so openarena, quake3 etc. can depend on it in future) * Don't strip the libjpeg code copy from the orig tarball: we still use one modified file from it, which means we must include the README and details of changes * Audit copyright file and convert to DEP-5 * Add a watch file -- Simon McVittie Sun, 15 Aug 2010 22:25:41 +0100