CVE-2017-6903

Name	CVE-2017-6903
Description	In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
References	DSA-3812-1
Debian Bugs	857699, 857714

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ioquake3 (PTS)	buster	1.36+u20181222.e5da13f~dfsg-2	fixed
	bullseye	1.36+u20201117.d1b7ab6~dfsg-1	fixed
	bookworm, sid	1.36+u20221123.70d07d9+dfsg-1	fixed
iortcw (PTS)	buster/contrib	1.51.b+dfsg1-3	fixed
	bullseye/contrib	1.51.c+dfsg1-3	fixed
	sid/contrib, bookworm/contrib	1.51.c+dfsg1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ioquake3	source	wheezy	(unfixed)	end-of-life
ioquake3	source	jessie	1.36+u20140802+gca9eebb-2+deb8u1		DSA-3812-1
ioquake3	source	(unstable)	1.36+u20161101+dfsg1-2			857699
iortcw	source	(unstable)	1.50a+dfsg1-3			857714

Notes

[wheezy] - ioquake3 <end-of-life> (Not supported in Wheezy LTS)
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
Also affects openjk (only in experimental; bug #857715)