As mentioned in the comments to this blog there is some kind of vulnerability in the commonly used KTX version. I (or Mushi rather ) thought this is news worthy but then where can the server gurus find the correct KTX version to use? And i assume nQuake also should be updated?

yeah, to fix this server admins need to update to the newer ktx. They should clone this git repository: https://github.com/jite/ktx/
compile it, and restart the servers

Any details about vuln? PoC maybe?

From upadted sources @ github - it seems to be possible to pass VIP flags with precompiled quake client that will be recognized by server. Am I right?

Don't know much of the programming... but that's probably right!
I've done here (to test/proof), compiling ezQuake with a little, very little, change!
then, inside the compiled ezQuake, all you have to do is set a variable, then connect to a server: BOOM, all your commands are local commands, like if you were at the server shell...

(It's also a very danger security issue to the server machine, becouse depending on the server configs, you have access to the ENTIRE MACHINE FOLDER/FILES)
Like:
on Windows: Format c:\
on Linux: rm -Rf /
hehehehehe (ok, it's not that simple, but it's TRUE)

First part is correct, second part not necessarily. When you have the server console you can do stuff to allow yourself to upload files, from there one can insert scripts and make them execute on the remote machine. However they will only run as the same user as the qw server runs as. However if this is your normal account/super user account, I'd be a bit scared and fix this ASAP.

Security by obscurity, doesn't work.

I added the fix at the very moment to all of my servers.

That's rather scary, but now, "we"'re safe...

For those of you wondering how to 'patch' it here is simple howto:


copy new qwprogs.so to your ktx/ directory and restart server. If it fails to load progs.dat you also have to recompile mvdsv:

and then copy mvdsv to your ${quake_home}

Thanks d2 for the help

i've upgraded the wiki page "How to server"

http://wiki.quakeworld.nu/How_to_server

I just did this on nl.besmella.com servers... looks to have worked... should the size be so much bigger than the previous one? more than double the size?

It probably has debugging symbols included still. Try "strip qwprogs.so".

Is there any affect on the performance or memory usage if i don't do this?

http://stackoverflow.com/questions/5936181/gcc-g-vs-not-g-and-strip-vs-not-strip-performance-and-memory-usage

TL;DR

No

Perfect, thanks!