Page 1 of 1

Valve is updating GoldSource engine games

Posted: Tue Apr 23, 2019 2:13 pm
by mr.solokiller
Just a heads up, Valve is updating GoldSource engine games.

Here's a link to the issue tracker, showing what's going on: https://github.com/ValveSoftware/halfli ... dated-desc+

You can check the update news for the games to see what's been done so far, here's a changelog:
This list covers the releases between March 20 and April 15 that are each part of a series of security updates.


Larger changes:
  • Added privilege checking to command execution. Commands originating outside of the client are now only able to execute commands that are considered to be safe. Commands such as 'connect', 'bind', 'quit' and certain cvars such as 'cl_filterstuffcmd' are now only executable by trusted sources.
  • Setting 'cl_filterstuffcmd' to a value greater than zero (e.g. 'cl_filterstuffcmd 1') will set a number of commands that are potentially abusable, such as 'say', 'fps_max', and 'setinfo', to also be only executable by privileged sources.

Fixes:
  • Fixed intermittent double weapon firing (TFC only)
  • Fixed client incorrectly blocking download of custom sprays
Security fixes:
  • All custom resources downloaded from a server now have their file name's checked for safety before being allowed to download
  • Invalid file extensions are now prevented in several commands
  • Dynamic libraries are no longer searched for in custom resource directories
  • Added additional file extensions to custom resource blocked extensions list
  • Fixed buffer overflow in message delta parsing
  • Fixed RCE in weapon message handling
  • Fixed RCE in model loading
  • Fixed buffer overflows in TGA and BMP loading
  • Fixed buffer overflow in demo playback
  • Fixed buffer overflows in model name loading
  • Fixed buffer overflow in detail texture loading
  • Fixed buffer overflow in console map listing
  • Fixed command chaining in cvar's that specified config files to be passed to the 'exec' command
In addition non-power of 2 textures are supported again if your system supports them. Overbright support might be turned on again if we can figure out what the reason for disabling it was.

People are also posting requests, but the focus is on bug fixing for the time being at least.

There's also talk of open sourcing: https://github.com/ValveSoftware/halfli ... -482718243

If there are any bugs that need fixing that haven't been reported yet, please report them. Explain in detail and provide steps to reproduce when possible, maybe with test maps if that's needed.

Re: Valve is updating GoldSource engine games

Posted: Tue Apr 23, 2019 2:23 pm
by Django
Image

Re: Valve is updating GoldSource engine games

Posted: Tue Apr 23, 2019 6:26 pm
by 510 Baud One
Interesting news.

Re: Valve is updating GoldSource engine games

Posted: Tue May 14, 2019 11:01 pm
by KoD
Thanks for sharing!