Another critical Q3 security bug

[Ganemi]

http://aluigi.altervista.org/adv/q3cfilevar-adv.txt

pfffffft. wonder if id will ever realize how cool it would be to work with the icculus guys and release a cock-solid PR for a change...

*whispers* With ragdolls.

*dodges a tomato*

[dzjepp]

Yeah, syncerror, if id brings out a new patch, could you guys mebbe ask the icculus guys if you can merge their exe into an official id exe?

[Timbo]

The recent 1.32c patch WAS derived from ioq3 (the specific fixes were permitted to be committed to the closed version as well as the GPL version). The ioq3 changes couldn't ever be released by id, unless permission was granted from ALL the contributors.

[dzjepp]

Are there a ton of ioq3 contributors?

[Foo]

yes

See this thread: http://www.quake3world.com/forum/viewtopic.php?t=20076

[dzjepp]

So where the specific 1.32c fixes under obligation to be premitted by everyone that contributed to ioq3? Meaning if so, it wouldn't be too far fetched or impossible to get such an appraisal going for a full scale ioq3 merger with an id patch?

[Foo]

I think the fixes specific to that were few in number, and from contributors still around and available to give permission. It's a different situation between the specific fixes they rolled into both, and the entire list of changes in IO.

[Kat]

Am I reading that right, the bug only effects machines if autodownload is active? And you need to connect to a machine with the hack in place for it to do anything?

[^misantropia^]

This is correct, yes.

[Oeloe]

^^^^ Hi there, fellow lurker.

[^misantropia^]

Have we met, sir?




(not quite a lurker, you, Oeloe. I remember your postcount being at least several hundred less than what I had when I left)