-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
> [Suggested description]
> In ioquake3 before 2017-03-14, the auto-downloading feature
> has insufficient content restrictions.
> This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and
> other id Tech 3 (aka Quake 3 engine) forks.
> A malicious auto-downloaded file can trigger loading of crafted
> auto-downloaded files as native code DLLs.
> A malicious auto-downloaded file can contain configuration defaults
> that override the user's.
> Executable bytecode in a malicious auto-downloaded file can set
> configuration variables to values that will result in unwanted native
> code DLLs being loaded, resulting in sandbox escape.
>
> --
>
> [Additional Information]
> The ioquake3 maintainers recommend not enabling auto-downloading, but
> this recommendation has not so far been sufficiently strong that they
> have removed the relevant feature.
>
> It is unclear whether the QVM bytecode interpreter is intended to be a
> security/sandboxing feature, or just a portability mechanism. The
> ioquake3 maintainers do not recommend treating it as a security
> feature, but they typically treat concrete examples of arbitrary code
> execution as security vulnerabilities anyway.
>
> --
>
> [VulnerabilityType Other]
> Insufficiently careful handling of auto-downloaded content, similar to CWE-494
>
> --
>
> [Vendor of Product]
> Originally: id Software. De facto maintainers: ioquake3.org community.
> Downstream vendors: Debian, Fedora, Ubuntu etc.; OpenArena, OpenJK,
> iortcw, etc.
>
> --
>
> [Affected Product Code Base]
> Quake III Arena, ioquake3, OpenArena, OpenJK, iortcw, probably all
> other idTech3 (Quake 3 engine) forks - all prior to 2017-03-14
>
> --
>
> [Attack Type]
> Remote
>
> --
>
> [Impact Code execution]
> true
>
> --
>
> [Attack Vectors]
> Connect to a malicious game server, or connect to a non-malicious game
> server in the presence of a malicious man-in-the-middle
>
> --
>
> [Reference]
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
> https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
> https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
> https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d
> https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372
> https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7
> https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
> https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1
> https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998
>
> --
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> --
>
> [Discoverer]
> Victor Roemer
Use CVE-2017-6903.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBCAAGBQJYyF/BAAoJEHb/MwWLVhi2B0gP/jdxV2mDeGHnpUPaeAtrU4BX
qHmAmPAYvp5qmVIIerda7sZNziRGpA8AYXLfyetJILfNU7uXQ77o339qv9o8r3OI
cfSIT6TGucPVZpF2zxGbjtuiiJwKd/WNgu4Q0Okhxu4hQgRwAHJgATb7LBhRTjpf
FwRgblsTrL1CYr9oOWn+Zab1c5tE0bydqu5OaVntG80usJvnDRFIj+QcNxaOtAFT
KmpJBYOuBo/+M/WlE8nQWPaImZNZSY91w8qFeUk3DLNZYAjDI4Ap/eA74VsnXp/8
AZnn4NRbOa4toSidB6ZwewWA7ND29AD2ERTxP1cAroG8m04cPdt7sV0fo/GYkKYU
mCgHMEzgyiD46v5pb3Xp9eY5AHA1XRbwadADnjgogN2AVYdXN0beh6nW9BOAi3ez
Jit05+AObgZBUTsGPfO87U57GMcz2A6PNEp0VIjfPzazmRIgV7AZ3I5Bs1iMu8pn
MOIAqErn5L/Ykb6xrfmUvHlGHX2NvhBhGGtC1/ijbX8tLyhwKlvMxzMx2lHvQGue
cG3zaxqHrNQs0ab2qax4EEjp5OgZ5EAirMmzYLV16mLG4HCnMcUZ1eIsxuCQCbAZ
P+PAcn1IP723p7lA9HeAgqvIdYnUNhWJMjYfzr7nPgPggWFOIzDjO0tm4dHMA4hK
W8C2FS348X+nPsQLhEW9
=fvvu
-END PGP SIGNATURE-
