Half-Life Vulnerabilities Exposed, Patched

AEton writes "PivX Solutions revealed in a press release three apparently new vulnerabilities in Half-Life and its related mods (such as Counter-Strike and Day of Defeat). Security researcher Auriemma Luigi discovered the flaws, reported them to Valve, and waited over three months for an official response before releasing an unofficial patch to correct the issues. Details on each of the vulnerabilities and sample code are linked to in the press release. (The third one looks kind of flaky, but the buffer overflows seem real.)" Thanks to an anonymous reader for pointing out Valve have now released a dedicated Windows server patch and dedicated Linux server patch (links via Fileshack) which seem to fix the issues.

3 months

[Taral]

I'm appalled that it apparently took a public release to get them to patch the servers. It would have been trivial for Valve to slide this into a patch and release it to everyone.

What possible rationale do they have for not fixing it in <b>3 months</b>?

Re:3 months

[lightspawn]

I'm appalled that it apparently took a public release to get them to patch the servers. It would have been trivial for Valve to slide this into a patch and release it to everyone.

When a way was found to delete other people's characters in Sega's Phantasy Star Online, the company tried to patch it, while keeping it a secret (and so not explaining how to avoid this abuse). This strategy worked very well with their inability to patch the bug or save the game state on the server side, and their decision to disallow making backups of the data files (the only file manager for the Dreamcast is in ROM, and it respects the do-not-copy bit of course). That's 50-100 hours down the drain for thousands of people.

I'll never pay for an online Sega game, and it will take a long time before I'm even willing to trust another company enough to spend my time on their online game.

I hope it makes sense but there's a fight on the cubicle next to me and I'm a bit distracted.

Re:Not good enough

[Hard_Code]

"They still haven't fixed VAC (valve anti-cheat) so wine users can play Half-Life."

And why should they burn money supporting a niche customer base which either 1) won't pay for software or 2) already has a copy of the windows version of a game that is OVER FIVE YEARS OLD? There are like, 3 people that play half life through wine.

"This doesn't stop them from assuming Linux fans will host their games via dedicated servers though. I'm still a little pissed off that they think Linux is good enough to host their games but not worthy of a client."

They don't assume shit. Linux is a popular server operating system that is run by MANY hosting services, so naturally they would port the dedicated server to linux. The dedicated server is much easier to port than the full blown client with graphics (duh).

"This is just more of the same old excellent community support from Valve."

Let's see:

* publish half life sdk with tools, source, and documentation
* maintain strong mod community relationships with valve-erc website
* support popular mods: socially, technically, financially, etc.
* listen to the incessent bitching of every kiddie who wants something for nothing

Yeah, I'd say it is excellent support. Quityerbitchin.

Re:3 months? Who cares?

[PainKilleR-CE]

Last I heard, the HL2 and HL patch teams were made up of different people. They released a boatload of HL patches in the time they've spent making HL2, not to mention the level of work that went into some of those HL patches.

Not that I plan on bashing Valve for releasing a patch for a 4-year-old game with only 3 months, considering the level of testing they normally subject their patches to (though I will gladly bash the number of client bugs they haven't fixed that have been in there the full 4 years and the number of things their testing hasn't caught over the years).

Re:Not good enough

[PainKilleR-CE]

My problem is that Valve thinks it's cool for me to run a server for their game even though I can't play it. That bugs me. I can respect that the financial decision to make a client might not be a great idea today, but there was certainly a time when it would have made sense. I, along with many others, would happily pay for a Linux client.

From a purely financial standpoint:
- Any game that relies on someone other than the developer to setup servers NEEDS linux server software. There's simply no way around that, as a very large percentage of all servers running for any of these games right now is a Linux (or other *nix) box. It has nothing to do with the capabilities of the OS when it comes to whether or not they will do the port, it has everything to do with the fact that the people running the servers are running Linux (and just a note, while the people running the servers may choose Linux for it's capabilities, Valve, id, and others did not choose to make the Linux server because of Linux' capabilities)
- Past performance of boxed Linux client sales have given sufficient reason for them not to make the porting effort. Additionally, they dropped work to port the game to the MacOS (they said it was because the Mac port wouldn't play online with the Win port, but that doesn't make a lot of sense to me). Arguably, MacOS has a larger user base on the client, and a better retail history for game ports, yet most companies can't financially justify the ports.

I never once said they should do it for free. I don't expect things like that from game companies.

But would they be able to recover the cost of porting, especially when they make claims of having a very large percentage of original code, and most of that code was written in C++ using MS VC++ (with probably very little regard to portability)? If their estimates say they won't make the money back, then they're essentially doing it for free. In fact, they'd probably be better off giving away the Linux binaries and telling you to buy Windows copies to get the art and CD Key, then getting an idea of the number of Linux clients through surveys and online stats.

As far as fixing wine, that might take a precious hour or two away from their team.

Except that their teams aren't made up of API hackers, they're people that were generally hired for game programming experience.

Or they could have told people roughly how VAC would work client-side so the wine team and contributors could work around it.

Which makes me wonder, if wine could work around VAC, would that give more people a way to get around VAC (in the malicious sense) when running Windows clients? Perhaps wine doesn't work with VAC simply because it isn't Windows, because the environment is not that in which the game was meant to be run?

Re:Not good enough

[sevensharpnine]

Making the UI is another matter. DX9 ports poorly (as in - not at all).

Half-Life doesn't use DX9; it uses DX6. Furthermore, the game has a very complete OpenGL renderer. Porting it would still take some work, I'm sure, but it's not like they would have to re-write it. And for the record, I'm neither "inanely biased" or "out of touch with reality". I simply have the rare and mystical ability to see through the PR hype and their "community support." But who cares, eh? Pretty movies make all ok.