-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > [Suggested description] > In ioquake3 before 2017-03-14, the auto-downloading feature > has insufficient content restrictions. > This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and > other id Tech 3 (aka Quake 3 engine) forks. > A malicious auto-downloaded file can trigger loading of crafted > auto-downloaded files as native code DLLs. > A malicious auto-downloaded file can contain configuration defaults > that override the user's. > Executable bytecode in a malicious auto-downloaded file can set > configuration variables to values that will result in unwanted native > code DLLs being loaded, resulting in sandbox escape. > > ------------------------------------------ > > [Additional Information] > The ioquake3 maintainers recommend not enabling auto-downloading, but > this recommendation has not so far been sufficiently strong that they > have removed the relevant feature. > > It is unclear whether the QVM bytecode interpreter is intended to be a > security/sandboxing feature, or just a portability mechanism. The > ioquake3 maintainers do not recommend treating it as a security > feature, but they typically treat concrete examples of arbitrary code > execution as security vulnerabilities anyway. > > ------------------------------------------ > > [VulnerabilityType Other] > Insufficiently careful handling of auto-downloaded content, similar to CWE-494 > > ------------------------------------------ > > [Vendor of Product] > Originally: id Software. De facto maintainers: ioquake3.org community. > Downstream vendors: Debian, Fedora, Ubuntu etc.; OpenArena, OpenJK, > iortcw, etc. > > ------------------------------------------ > > [Affected Product Code Base] > Quake III Arena, ioquake3, OpenArena, OpenJK, iortcw, probably all > other idTech3 (Quake 3 engine) forks - all prior to 2017-03-14 > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Code execution] > true > > ------------------------------------------ > > [Attack Vectors] > Connect to a malicious game server, or connect to a non-malicious game > server in the presence of a malicious man-in-the-middle > > ------------------------------------------ > > [Reference] > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699 > https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ > https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd > https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d > https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372 > https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7 > https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20 > https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1 > https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > Victor Roemer <vroe...@badsec.org>
Use CVE-2017-6903. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYyF/BAAoJEHb/MwWLVhi2B0gP/jdxV2mDeGHnpUPaeAtrU4BX qHmAmPAYvp5qmVIIerda7sZNziRGpA8AYXLfyetJILfNU7uXQ77o339qv9o8r3OI cfSIT6TGucPVZpF2zxGbjtuiiJwKd/WNgu4Q0Okhxu4hQgRwAHJgATb7LBhRTjpf FwRgblsTrL1CYr9oOWn+Zab1c5tE0bydqu5OaVntG80usJvnDRFIj+QcNxaOtAFT KmpJBYOuBo/+M/WlE8nQWPaImZNZSY91w8qFeUk3DLNZYAjDI4Ap/eA74VsnXp/8 AZnn4NRbOa4toSidB6ZwewWA7ND29AD2ERTxP1cAroG8m04cPdt7sV0fo/GYkKYU mCgHMEzgyiD46v5pb3Xp9eY5AHA1XRbwadADnjgogN2AVYdXN0beh6nW9BOAi3ez Jit05+AObgZBUTsGPfO87U57GMcz2A6PNEp0VIjfPzazmRIgV7AZ3I5Bs1iMu8pn MOIAqErn5L/Ykb6xrfmUvHlGHX2NvhBhGGtC1/ijbX8tLyhwKlvMxzMx2lHvQGue cG3zaxqHrNQs0ab2qax4EEjp5OgZ5EAirMmzYLV16mLG4HCnMcUZ1eIsxuCQCbAZ P+PAcn1IP723p7lA9HeAgqvIdYnUNhWJMjYfzr7nPgPggWFOIzDjO0tm4dHMA4hK W8C2FS348X+nPsQLhEW9 =fvvu -----END PGP SIGNATURE-----
