DescriptionIn ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs857699, 857714

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ioquake3 (PTS)jessie (security), jessie1.36+u20140802+gca9eebb-2+deb8u2fixed
stretch (security), stretch1.36+u20161101+dfsg1-2+deb9u1fixed
buster, sid1.36+u20180828.29db640~dfsg-1fixed
iortcw (PTS)stretch/contrib (security), stretch/contrib1.50a+dfsg1-3+deb9u1fixed
buster/contrib, sid/contrib1.51.b+dfsg1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[wheezy] - ioquake3 <end-of-life> (Not supported in Wheezy LTS)
Also affects openjk (only in experimental; bug #857715)

Search for package or bug name: Reporting problems