Counter-Strike News

This list covers the releases between March 20 and April 11 that are each part of a series of security updates.

Larger changes:

• Added privilege checking to command execution. Commands originating outside of the client are now only able to execute commands that are considered to be safe. Commands such as 'connect', 'bind', 'quit' and certain cvars such as 'cl_filterstuffcmd' are now only executable by trusted sources.
  
• Setting 'cl_filterstuffcmd' to a value greater than zero (e.g. 'cl_filterstuffcmd 1') will set a number of commands that are potentially abusable, such as 'say', 'fps_max', and 'setinfo', to also be only executable by privileged sources.
  

Fixes:

• Fixed client incorrectly blocking download of custom sprays
  

Security fixes:

• All custom resources downloaded from a server now have their file name's checked for safety before being allowed to download
  
• Invalid file extensions are now prevented in several commands
  
• Dynamic libraries are no longer searched for in custom resource directories
  
• Added additional file extensions to custom resource blocked extensions list
  
• Fixed buffer overflow in message delta parsing
  
• Fixed RCE in weapon message handling
  
• Fixed RCE in model loading
  
• Fixed buffer overflows in TGA and BMP loading
  
• Fixed buffer overflow in demo playback
  
• Fixed buffer overflows in model name loading
  
• Fixed buffer overflow in detail texture loading
  
• Fixed buffer overflow in console map listing
  
• Fixed command chaining in cvar's that specified config files to be passed to the 'exec' command
  

A small update for Counter-Strike is now available:

Engine

• Fixed bug in skybox image loading
  
• Fixed bug in demo command processing
  
• Prevent certain path characters from being used in commands
  
• Enforce certain extensions be used for files specified in some commands
  

Counter-Strike 1.6 update released


We have updated the public release of Counter-Strike 1.6.

Changes in this update are:

• Fixed crash when entering certain malformed strings into the game console. Thanks to Marshal Webb from BackConnect, Inc for reporting this.
  
• Fixed crash when loading a specially crafted malformed BSP file. Thanks to Grant Hernandez (@Digital_Cold) for reporting this.
  
• Fixed malformed SAV files allowing arbitrary files to be written into the game folder. Thanks to Vsevolod Saj for reporting this.
  
• Fixed a crash when quickly changing weapons that are consumable. Thanks to Sam Vanheer for reporting this.
  
• Fixed crash when setting custom decals
  
• Make sure the Close button has keyboard focus when you see the disconnection dialog
  
• Disable showing of popup html windows
  
• Made the play command obey speak_enabled cvar
  
• Fixed being unable to pickup a primary weapon if you had an ammox box object previously stip you of items
  
• Fixed room type not being updated on map change/connect
  
• Fixed out of date information showing in the scoreboard after level change or changing servers
  
• Fixed the specator UI to not show a placeholder name when initially shown
  
• Fixed sprays not loading from the correct path causing them not to update
  
• Fixed the Condition Zero tours ui to display the tour number correctly when you have more than 9 entries
  
• Fixed crash if you issued a changelevel command on a local server while certain UI elements were visible
  
  

Updates to the GoldSrc Dedicated Server have been released. The updates will be applied automatically when your Steam client is restarted. The major changes include:

• Added sv_logsecret support
  
• Added sv_filetransfermaxsize to limit the size of a file the game server will try to send to a client
  
• Added halflife.wad and xeon.wad to the not allowed to download to a client list
  
• Increased max heapsize of 128mbyte for the dedicated server, default to 40mb still
  
• Added sv_allow_dlfile, if set to 1 and sv_downloadurl is set still allow local downloads
  
• changed motd_write to only work if the process is running an active server and the command is from the console
  
• prevented several client redirection exploits when connecting to a server
  
• Changed "Non-sprite set to glow!\n" debug console output to be dev only