CVE-2017-11721

Name	CVE-2017-11721
Description	Buffer overflow in ioquake3 before 2017-08-02 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted packet.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-3941-1, DSA-3948-1
NVD severity	high
Debian Bugs	870725, 870811

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ioquake3 (PTS)	stretch (security), stretch	1.36+u20161101+dfsg1-2+deb9u1	fixed
	buster	1.36+u20181222.e5da13f~dfsg-2	fixed
	bullseye, sid	1.36+u20201117.d1b7ab6~dfsg-1	fixed
iortcw (PTS)	buster/contrib	1.51.b+dfsg1-3	fixed
	sid/contrib, bullseye/contrib	1.51.c+dfsg1-3	fixed
	stretch/contrib (security), stretch/contrib	1.50a+dfsg1-3+deb9u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ioquake3	source	wheezy	(unfixed)	end-of-life
ioquake3	source	jessie	1.36+u20140802+gca9eebb-2+deb8u2		DSA-3948-1
ioquake3	source	stretch	1.36+u20161101+dfsg1-2+deb9u1		DSA-3948-1
ioquake3	source	(unstable)	1.36+u20170803+dfsg1-1			870725
iortcw	source	stretch	1.50a+dfsg1-3+deb9u1		DSA-3941-1
iortcw	source	(unstable)	1.51+dfsg1-3			870811

Notes

[wheezy] - ioquake3 <end-of-life> (games are not supported in Wheezy)
https://github.com/ioquake/ioq3/commit/d2b1d124d4055c2fcbe5126863487c52fd58cca1
https://github.com/iortcw/iortcw/commit/260c39a29af517a08b3ee1a0e78ad654bdd70934
Also affects openjk (only in experimental; fixed in 0~20170718+dfsg1-2