Bug 1432534 (CVE-2017-6903)

Summary: CVE-2017-6903 quake3: Auto-downloaded .pk3 files can be loaded
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, jlayton, lxtnow, sanjay.ankur, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:08:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1432535, 1432536, 1432537    
Bug Blocks:    

Description Andrej Nemec 2017-03-15 15:22:14 UTC 
In ioquake3, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.

References:

https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699

Upstream patch:

https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
Comment 1 Andrej Nemec 2017-03-15 15:22:43 UTC 
Created openarena tracking bugs for this issue:

Affects: epel-7 [bug 1432536]
Affects: fedora-all [bug 1432537]


Created quake3 tracking bugs for this issue:

Affects: fedora-all [bug 1432535]
Comment 2 Product Security DevOps Team 2019-06-08 03:08:59 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.