CVE-2017-6903 Affecting ioquake3 package, versions <1.36+u20161101+dfsg1-2


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.22% (61st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN11-IOQUAKE3-516915
  • published14 Mar 2017
  • disclosed14 Mar 2017

Introduced: 14 Mar 2017

CVE-2017-6903  (opens in a new tab)

How to fix?

Upgrade Debian:11 ioquake3 to version 1.36+u20161101+dfsg1-2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ioquake3 package and not the ioquake3 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.