UPDATE: games/chocolate-doom 3.0.0 => 3.0.1 (fix CVE-2020-14983)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

UPDATE: games/chocolate-doom 3.0.0 => 3.0.1 (fix CVE-2020-14983)

Brian Callahan-6
Hi ports and Ryan --

I noticed via Repology that our version of chocolate-doom is
vulnerable to CVE-2020-14983 [0].

The simple solution is to update to version 3.0.1, which contains the
fix [1].

Doom works here for me.

OK?

~Brian

[0] https://nvd.nist.gov/vuln/detail/CVE-2020-14983
[1] https://github.com/chocolate-doom/chocolate-doom/issues/1293

chocolate-doom-301.diff (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: games/chocolate-doom 3.0.0 => 3.0.1 (fix CVE-2020-14983)

Nam Nguyen
Brian Callahan writes:

> Hi ports and Ryan --
>
> I noticed via Repology that our version of chocolate-doom is
> vulnerable to CVE-2020-14983 [0].
>
> The simple solution is to update to version 3.0.1, which contains the
> fix [1].
>
> Doom works here for me.

In my testing singleplayer and multiplayer continue to work.

I tested singleplayer by completing the first maps in Doom and Doom 2.

I tested multiplayer by creating a server and having two players join.

$ chocolate-server -privateserver
$ chocolate-doom -iwad doom2.wad -connect 127.0.0.1 -deathmatch -nomonsters
$ chocolate-doom -iwad doom2.wad -connect 127.0.0.1

>
> OK?
>
> ~Brian
>
> [0] https://nvd.nist.gov/vuln/detail/CVE-2020-14983
> [1] https://github.com/chocolate-doom/chocolate-doom/issues/1293
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/games/chocolate-doom/Makefile,v
> retrieving revision 1.27
> diff -u -p -r1.27 Makefile
> --- Makefile 12 Jul 2019 20:46:15 -0000 1.27
> +++ Makefile 1 Aug 2020 03:43:21 -0000
> @@ -1,10 +1,9 @@
>  # $OpenBSD: Makefile,v 1.27 2019/07/12 20:46:15 sthen Exp $
>  
>  COMMENT = portable release of Doom, Heretic, Hexen, and Strife
> -V = 3.0.0
> +V = 3.0.1
>  DISTNAME = chocolate-doom-${V}
>  CATEGORIES = games x11
> -REVISION = 0
>  
>  HOMEPAGE = https://www.chocolate-doom.org/
>  
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/games/chocolate-doom/distinfo,v
> retrieving revision 1.9
> diff -u -p -r1.9 distinfo
> --- distinfo 18 Jan 2018 09:30:58 -0000 1.9
> +++ distinfo 1 Aug 2020 03:43:21 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (chocolate-doom-3.0.0.tar.gz) = c66mI5MMfRinp3juo5Hh3fvpCtGsQKkbOAr8pLDh2rg=
> -SIZE (chocolate-doom-3.0.0.tar.gz) = 2495591
> +SHA256 (chocolate-doom-3.0.1.tar.gz) = 1DXWF3QjSR1gvnBtqfB9OrT6vz4HfsKj/CFuOU/PyMc=
> +SIZE (chocolate-doom-3.0.1.tar.gz) = 2514985

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: games/chocolate-doom 3.0.0 => 3.0.1 (fix CVE-2020-14983)

Ryan Freeman
In reply to this post by Brian Callahan-6
On Sat, Aug 01, 2020 at 03:47:19AM +0000, Brian Callahan wrote:
> Hi ports and Ryan --
>
> I noticed via Repology that our version of chocolate-doom is
> vulnerable to CVE-2020-14983 [0].
>
> The simple solution is to update to version 3.0.1, which contains the
> fix [1].
>
> Doom works here for me.

Thanks for this, I will look at this in a bit, perfect opportunity
for me to get my changes[1] for DESCR and README in :P

So please hold tight on this before committing

[1] https://marc.info/?l=openbsd-ports&m=156418849704190&w=2

>
> OK?
>
> ~Brian
>
> [0] https://nvd.nist.gov/vuln/detail/CVE-2020-14983
> [1] https://github.com/chocolate-doom/chocolate-doom/issues/1293

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/games/chocolate-doom/Makefile,v
> retrieving revision 1.27
> diff -u -p -r1.27 Makefile
> --- Makefile 12 Jul 2019 20:46:15 -0000 1.27
> +++ Makefile 1 Aug 2020 03:43:21 -0000
> @@ -1,10 +1,9 @@
>  # $OpenBSD: Makefile,v 1.27 2019/07/12 20:46:15 sthen Exp $
>  
>  COMMENT = portable release of Doom, Heretic, Hexen, and Strife
> -V = 3.0.0
> +V = 3.0.1
>  DISTNAME = chocolate-doom-${V}
>  CATEGORIES = games x11
> -REVISION = 0
>  
>  HOMEPAGE = https://www.chocolate-doom.org/
>  
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/games/chocolate-doom/distinfo,v
> retrieving revision 1.9
> diff -u -p -r1.9 distinfo
> --- distinfo 18 Jan 2018 09:30:58 -0000 1.9
> +++ distinfo 1 Aug 2020 03:43:21 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (chocolate-doom-3.0.0.tar.gz) = c66mI5MMfRinp3juo5Hh3fvpCtGsQKkbOAr8pLDh2rg=
> -SIZE (chocolate-doom-3.0.0.tar.gz) = 2495591
> +SHA256 (chocolate-doom-3.0.1.tar.gz) = 1DXWF3QjSR1gvnBtqfB9OrT6vz4HfsKj/CFuOU/PyMc=
> +SIZE (chocolate-doom-3.0.1.tar.gz) = 2514985

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: games/chocolate-doom 3.0.0 => 3.0.1 (fix CVE-2020-14983)

Ryan Freeman
On Sat, Aug 01, 2020 at 10:32:53AM -0700, Ryan Freeman wrote:

> On Sat, Aug 01, 2020 at 03:47:19AM +0000, Brian Callahan wrote:
> > Hi ports and Ryan --
> >
> > I noticed via Repology that our version of chocolate-doom is
> > vulnerable to CVE-2020-14983 [0].
> >
> > The simple solution is to update to version 3.0.1, which contains the
> > fix [1].
> >
> > Doom works here for me.
>
> Thanks for this, I will look at this in a bit, perfect opportunity
> for me to get my changes[1] for DESCR and README in :P
>
> So please hold tight on this before committing

Well, it is taking me longer to update my laptop than anticipated,
and now I need to step away.  Apologies, I am good with just getting
the CVE taken care of.  Thanks!

>
> [1] https://marc.info/?l=openbsd-ports&m=156418849704190&w=2
>
> >
> > OK?
> >
> > ~Brian
> >
> > [0] https://nvd.nist.gov/vuln/detail/CVE-2020-14983
> > [1] https://github.com/chocolate-doom/chocolate-doom/issues/1293
>
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/games/chocolate-doom/Makefile,v
> > retrieving revision 1.27
> > diff -u -p -r1.27 Makefile
> > --- Makefile 12 Jul 2019 20:46:15 -0000 1.27
> > +++ Makefile 1 Aug 2020 03:43:21 -0000
> > @@ -1,10 +1,9 @@
> >  # $OpenBSD: Makefile,v 1.27 2019/07/12 20:46:15 sthen Exp $
> >  
> >  COMMENT = portable release of Doom, Heretic, Hexen, and Strife
> > -V = 3.0.0
> > +V = 3.0.1
> >  DISTNAME = chocolate-doom-${V}
> >  CATEGORIES = games x11
> > -REVISION = 0
> >  
> >  HOMEPAGE = https://www.chocolate-doom.org/
> >  
> > Index: distinfo
> > ===================================================================
> > RCS file: /cvs/ports/games/chocolate-doom/distinfo,v
> > retrieving revision 1.9
> > diff -u -p -r1.9 distinfo
> > --- distinfo 18 Jan 2018 09:30:58 -0000 1.9
> > +++ distinfo 1 Aug 2020 03:43:21 -0000
> > @@ -1,2 +1,2 @@
> > -SHA256 (chocolate-doom-3.0.0.tar.gz) = c66mI5MMfRinp3juo5Hh3fvpCtGsQKkbOAr8pLDh2rg=
> > -SIZE (chocolate-doom-3.0.0.tar.gz) = 2495591
> > +SHA256 (chocolate-doom-3.0.1.tar.gz) = 1DXWF3QjSR1gvnBtqfB9OrT6vz4HfsKj/CFuOU/PyMc=
> > +SIZE (chocolate-doom-3.0.1.tar.gz) = 2514985
>

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: games/chocolate-doom 3.0.0 => 3.0.1 (fix CVE-2020-14983)

Ryan Freeman
In reply to this post by Brian Callahan-6
On Sat, Aug 01, 2020 at 03:47:19AM +0000, Brian Callahan wrote:

> Hi ports and Ryan --
>
> I noticed via Repology that our version of chocolate-doom is
> vulnerable to CVE-2020-14983 [0].
>
> The simple solution is to update to version 3.0.1, which contains the
> fix [1].
>
> Doom works here for me.
>
> OK?
>
> ~Brian
>
> [0] https://nvd.nist.gov/vuln/detail/CVE-2020-14983
> [1] https://github.com/chocolate-doom/chocolate-doom/issues/1293

Hey Brian,

Thanks again for pointing this out!  I managed to roll my old DESCR and
pkg README enhancements into your diff to upgrade to 3.0.1.  Please
consider this one for commit, builds and runs fine on amd64 here.

This is based on a diff I had from last year that never made it in seen
here, but with a bit more word-smoothing:
https://marc.info/?l=openbsd-ports&m=156485054232532&w=2

Thanks!


Index: Makefile
===================================================================
RCS file: /cvs/ports/games/chocolate-doom/Makefile,v
retrieving revision 1.27
diff -u -p -r1.27 Makefile
--- Makefile 12 Jul 2019 20:46:15 -0000 1.27
+++ Makefile 2 Aug 2020 20:03:43 -0000
@@ -1,10 +1,9 @@
 # $OpenBSD: Makefile,v 1.27 2019/07/12 20:46:15 sthen Exp $
 
 COMMENT = portable release of Doom, Heretic, Hexen, and Strife
-V = 3.0.0
+V = 3.0.1
 DISTNAME = chocolate-doom-${V}
 CATEGORIES = games x11
-REVISION = 0
 
 HOMEPAGE = https://www.chocolate-doom.org/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/games/chocolate-doom/distinfo,v
retrieving revision 1.9
diff -u -p -r1.9 distinfo
--- distinfo 18 Jan 2018 09:30:58 -0000 1.9
+++ distinfo 2 Aug 2020 20:03:43 -0000
@@ -1,2 +1,2 @@
-SHA256 (chocolate-doom-3.0.0.tar.gz) = c66mI5MMfRinp3juo5Hh3fvpCtGsQKkbOAr8pLDh2rg=
-SIZE (chocolate-doom-3.0.0.tar.gz) = 2495591
+SHA256 (chocolate-doom-3.0.1.tar.gz) = 1DXWF3QjSR1gvnBtqfB9OrT6vz4HfsKj/CFuOU/PyMc=
+SIZE (chocolate-doom-3.0.1.tar.gz) = 2514985
Index: pkg/DESCR
===================================================================
RCS file: /cvs/ports/games/chocolate-doom/pkg/DESCR,v
retrieving revision 1.4
diff -u -p -r1.4 DESCR
--- pkg/DESCR 11 Dec 2014 08:10:51 -0000 1.4
+++ pkg/DESCR 2 Aug 2020 20:03:43 -0000
@@ -1,28 +1,7 @@
-Chocolate Doom is a portable branch of the classic doom.exe experience
-from the days of DOS. The author, Simon Howard, has worked to ensure
-Chocolate Doom, which is nothing more than a directly modified version
-of the released iD Software source code, has zero changes that affect
-gameplay, look, or feel, and also re-created a DOS-like setup program to
-configure the game much like the original setup.exe.  The project also
-maintains versions of the engine for Heretic, Hexen, and Strife.
+Chocolate Doom is an SDL-based port of the classic DOOM.EXE experience from
+the days of DOS.  The project aims to provide an experience identical to that
+of the original games on original hardware.  A game configuration program is
+included, and emulates the classic DOS-style SETUP.EXE of the originals.
 
-Chocolate Doom provides:
-  chocolate-doom          - the Doom executable
-  chocolate-doom-setup    - the Doom setup executable
-  chocolate-heretic       - the Heretic executable
-  chocolate-heretic-setup - the Heretic setup executable
-  chocolate-hexen         - the Hexen executable
-  chocolate-hexen-setup   - the Hexen setup executable
-  chocolate-strife        - the Strife executable
-  chocolate-strife-setup  - the Strife setup executable
-  chocolate-server        - server for up to 4-player net games
-
-
-Due to the port re-implementing the original games as closely as
-possible, all original game PWADs and demos work flawlessly. Other
-original features include a PC-speaker driver, just like the DOS
-PC-speaker driver, and a working -left and -right network command
-parameter system for the 'surround display' setup that was
-obtainable with the original DOS executables over an IPX network.
-
-Check the chocolate-*(6) manpages for additional information.
+The project also maintains versions of the engine for Heretic, Hexen, and
+Strife.  All original game PWADs and demos should work flawlessly.
Index: pkg/MESSAGE
===================================================================
RCS file: pkg/MESSAGE
diff -N pkg/MESSAGE
--- pkg/MESSAGE 27 May 2014 06:35:01 -0000 1.5
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,16 +0,0 @@
-To play the game you will need an original Doom, Ultimate Doom,
-Doom II, Final Doom, Heretic, Hexen, or Strife IWAD. Place the
-doom.wad, doom2.wad, plutonia.wad, tnt.wad, heretic.wad, hexen.wad,
-strife1.wad + voices.wad or all of the above in
-${PREFIX}/share/doom/ to play.  The shareware will also work.
-
-If multiple IWADs are installed, you may specify the one you want to
-play via the -iwad command-line parameter e.g.
-
-  $ chocolate-doom -iwad doom.wad
-  $ chocolate-heretic -iwad heretic1.wad (heretic shareware)
-
-The Doom Shareware IWAD is available in the doomdata package.
-
-Run `chocolate-gamename-setup' to generate a configuration file to your
-liking.
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/games/chocolate-doom/pkg/PLIST,v
retrieving revision 1.9
diff -u -p -r1.9 PLIST
--- pkg/PLIST 27 Jun 2018 21:03:44 -0000 1.9
+++ pkg/PLIST 2 Aug 2020 20:03:43 -0000
@@ -76,6 +76,7 @@ share/doc/chocolate-strife/PHILOSOPHY.md
 share/doc/chocolate-strife/README.Music.md
 share/doc/chocolate-strife/README.Strife.md
 share/doc/chocolate-strife/README.md
+share/doc/pkg-readmes/${PKGSTEM}
 share/doom/
 share/icons/
 share/icons/chocolate-doom.png
Index: pkg/README
===================================================================
RCS file: pkg/README
diff -N pkg/README
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ pkg/README 2 Aug 2020 20:03:43 -0000
@@ -0,0 +1,67 @@
+$OpenBSD$
+
++------------------------------------------------------------------------------
+| Running ${PKGSTEM} on OpenBSD
++------------------------------------------------------------------------------
+
+Game Data
+=========
+
+To play the game you will need an original Doom, Ultimate Doom, Doom II,
+Final Doom, Heretic, Hexen, or Strife IWAD.  The games data files will
+be named as follows:
+
+  o DOOM1.WAD .................. Doom Shareware
+  o DOOM.WAD ................... Doom Registered or Ultimate Doom
+  o DOOM2.WAD .................. Doom II: Hell on Earth
+  o PLUTONIA.WAD ............... Final Doom: The Plutonia Experiment
+  o TNT.WAD .................... Final Doom: TNT Evilution
+  o HERETIC1.WAD ............... Heretic Shareware
+  o HERETIC.WAD ................ Heretic: Shadow of the Serpent Riders
+  o HEXEN.WAD .................. Hexen: Beyond Heretic
+  o STRIFE0.WAD ................ Strife Shareware
+  o STRIFE1.WAD + VOICES.WAD ... Strife: Quest for the Sigil
+
+Place one or more of the above-listed files in ${PREFIX}/share/doom/
+to play.
+
+NOTE: Chocolate-doom is case-insensitive when loading files, just as the
+original for DOS was.  This means you do not have to reference the files
+in CAPS to load via `-iwad' or `-file' parameters.
+
+
+Launching a Game
+================
+
+Depending on which game you want to play, launch with the executable
+matching the game data installed.  There are four options:
+
+  o chocolate-doom
+  o chocolate-heretic
+  o chocolate-hexen
+  o chocolate-strife
+
+Run `chocolate-<game>-setup' to generate a configuration file to your
+liking.
+
+If multiple IWADs are installed, you may specify the one you want to
+play via the `-iwad' command-line parameter:
+
+  $ chocolate-doom -iwad doom.wad
+  $ chocolate-heretic -iwad heretic1.wad
+
+Multiplayer Games
+=================
+
+See the chocolate-<game>(6) manpages for additional information.  If a
+dedicated server is desired, see the chocolate-server(6) manpage.
+
+Shareware Data
+==============
+
+The Doom Shareware IWAD is available in the `doomdata' package.  Other
+shareware is available from the Doomworld idgames archive website:
+
+  Heretic: https://www.doomworld.com/idgames/idstuff/heretic/htic_v12
+  Hexen: https://www.doomworld.com/idgames/idstuff/hexen/hexndemo
+  Strife: https://www.doomworld.com/idgames/roguestuff/strife11