CVE-2017-6903
- Source
- https://cve.org/CVERecord?id=CVE-2017-6903
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6903.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-6903
- Downstream
- Published
- 2017-03-14T22:59:01.257Z
- Modified
- 2026-02-18T07:09:05.946675Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
- References
-
- http://www.debian.org/security/2017/dsa-3812
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
- https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
- https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7
- https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
- https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372
- https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d
- https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998
- https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1
- https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
- https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7
- https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
- https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372
- https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d
- https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998
- https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1
- https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
Affected packages
Git / github.com/ioquake/ioq3
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ioquake/ioq3
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6903.json"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 828.0,
"function_hash": "93675047476134076364831534568477298939"
},
"signature_type": "Function",
"id": "CVE-2017-6903-2b2bff99",
"source": "https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd",
"target": {
"function": "Sys_LoadDll",
"file": "code/sys/sys_main.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"126578339187641909699610824582341164057",
"171172432515240510232256132159633942053",
"202940276023208095553930184803427253114",
"23322319702966846508829072031980377605",
"307537267813294417451352173827032774415",
"216686619176242074302002024282645070635",
"251027168546510552005134463149247823818",
"292243956832168556530953349001200054380"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-3ce85af9",
"source": "https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd",
"target": {
"file": "code/client/cl_main.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1407.0,
"function_hash": "156860816226980721641307891143913561275"
},
"signature_type": "Function",
"id": "CVE-2017-6903-4e21c8fd",
"source": "https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372",
"target": {
"function": "Con_Dump_f",
"file": "code/client/cl_console.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"4809882800629526839772819942684345287",
"281660927999886755969672318878808367578",
"213960479562293650411691124277694515446"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-694a0a3e",
"source": "https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd",
"target": {
"file": "code/sys/sys_main.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 2925.0,
"function_hash": "37249410674601877202048732459561143207"
},
"signature_type": "Function",
"id": "CVE-2017-6903-6b5183f0",
"source": "https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd",
"target": {
"function": "CL_InitRef",
"file": "code/client/cl_main.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"202551803697669383353911088030735331556",
"32869259132284186141470036419604106356",
"294795087076151396448802632159819089603",
"151573063802375801330180507798636270908",
"328149801008414834742403513929897014983",
"141578027635297550643040624981534825840"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-87298127",
"source": "https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d",
"target": {
"file": "code/client/snd_openal.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"11267719413432335363271595654432564404",
"31328713115138281736226681247582286830",
"206104564493140232267032650264534885816"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-8bd2b537",
"source": "https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372",
"target": {
"file": "code/qcommon/common.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 295.0,
"function_hash": "102106852092796082823630961794882067462"
},
"signature_type": "Function",
"id": "CVE-2017-6903-a8a36c29",
"source": "https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372",
"target": {
"function": "Com_WriteConfig_f",
"file": "code/qcommon/common.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"243934222013860946821851271377876121594",
"142397883805406087165485023436852016487",
"164107012220098731528888674720765307991"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-b78cdc68",
"source": "https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372",
"target": {
"file": "code/client/cl_console.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 6002.0,
"function_hash": "303965804422126025456925044375939568659"
},
"signature_type": "Function",
"id": "CVE-2017-6903-c7c1b3e6",
"source": "https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d",
"target": {
"function": "S_AL_Init",
"file": "code/client/snd_openal.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"60962053430664049257320901215016840890",
"97376908373937792748208466610628898758",
"234568798636102268738341845862388629119",
"307064807065911141683089286870069943502",
"152712665099883158432954791793024540082",
"289178849914208336998204782652826548004",
"151039376975264012224099835735853561142",
"334337463911085130048427159251641887411"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-d2288c0e",
"source": "https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd",
"target": {
"file": "code/qcommon/files.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 570.0,
"function_hash": "46193990519959768262596960280960233250"
},
"signature_type": "Function",
"id": "CVE-2017-6903-d752b149",
"source": "https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd",
"target": {
"function": "FS_FOpenFileRead",
"file": "code/qcommon/files.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 8009.0,
"function_hash": "115145299544607205459214636943206186176"
},
"signature_type": "Function",
"id": "CVE-2017-6903-f160b94e",
"source": "https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd",
"target": {
"function": "CL_Init",
"file": "code/client/cl_main.c"
}
}
]
Git / github.com/iortcw/iortcw
Affected ranges
- Type
- GIT
- Repo
- https://github.com/iortcw/iortcw
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6903.json"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"11267719413432335363271595654432564404",
"31328713115138281736226681247582286830",
"206104564493140232267032650264534885816"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-19e95511",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"file": "SP/code/qcommon/common.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 295.0,
"function_hash": "102106852092796082823630961794882067462"
},
"signature_type": "Function",
"id": "CVE-2017-6903-6c5d7c04",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"function": "Com_WriteConfig_f",
"file": "SP/code/qcommon/common.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 295.0,
"function_hash": "102106852092796082823630961794882067462"
},
"signature_type": "Function",
"id": "CVE-2017-6903-702cc34b",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"function": "Com_WriteConfig_f",
"file": "MP/code/qcommon/common.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1423.0,
"function_hash": "191124693343110328133250578177586093511"
},
"signature_type": "Function",
"id": "CVE-2017-6903-7061625f",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"function": "Con_Dump_f",
"file": "MP/code/client/cl_console.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"243934222013860946821851271377876121594",
"59714264445407122880871326902413788602",
"213324151022431737454776151203871423102"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-7ff0138d",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"file": "MP/code/client/cl_console.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"11267719413432335363271595654432564404",
"31328713115138281736226681247582286830",
"206104564493140232267032650264534885816"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-8f8d35fd",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"file": "MP/code/qcommon/common.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1423.0,
"function_hash": "191124693343110328133250578177586093511"
},
"signature_type": "Function",
"id": "CVE-2017-6903-9d624fbc",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"function": "Con_Dump_f",
"file": "SP/code/client/cl_console.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"243934222013860946821851271377876121594",
"59714264445407122880871326902413788602",
"213324151022431737454776151203871423102"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-c6db44fa",
"source": "https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998",
"target": {
"file": "SP/code/client/cl_console.c"
}
}
]
Git / github.com/jacoders/openjk
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jacoders/openjk
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6903.json"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"176362247248493069422101516371169951570",
"267743225602174175210512269135232414219",
"149484764009180056304798543936734922627",
"112841397247012668160545621642561799636"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-10fe7e30",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"file": "code/client/cl_main.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 3929.0,
"function_hash": "21717297228256682207168278021669653075"
},
"signature_type": "Function",
"id": "CVE-2017-6903-2a854892",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"function": "FS_FOpenFileRead",
"file": "code/qcommon/files.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 4183.0,
"function_hash": "171830328816457079678893941363564908891"
},
"signature_type": "Function",
"id": "CVE-2017-6903-2b2a9b34",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"function": "CL_InitRef",
"file": "codemp/client/cl_main.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 6018.0,
"function_hash": "228464392829941795499046325725772817366"
},
"signature_type": "Function",
"id": "CVE-2017-6903-4a11f7de",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"function": "FS_FOpenFileRead",
"file": "codemp/qcommon/files.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"76972429868907647277322864546424387787",
"135900126143763696843836366225127710621",
"84169591344931215290542809132917999758",
"305410307407996548726190620213737600060"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-5207caa8",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"file": "codemp/client/cl_main.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"230702606391216961425893672221132859074",
"48004005832872369478089860808665847304",
"275361879548646342632536387300084247853",
"164459692824696009525816482141557980916",
"114236728334692188271241945888429475181",
"149223279290409101457464800093122008963",
"176649776652894245216153619615637937906",
"226259492753484702418955351779669077678",
"184604716061794457271090405309916149257",
"101358975300933600782668063351135413135"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-53fe70a0",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"file": "code/qcommon/files.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 3524.0,
"function_hash": "150614883363422383749233276026177610561"
},
"signature_type": "Function",
"id": "CVE-2017-6903-5d82717e",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"function": "CL_InitRef",
"file": "code/client/cl_main.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"108233028480356438228347252172072792281",
"164005218921620612686061964053405067848",
"264354895932889420101670009641660818263",
"85465224602989743850470928772669214363",
"164459692824696009525816482141557980916",
"114236728334692188271241945888429475181",
"149223279290409101457464800093122008963",
"52808737768768176148949751824536742319",
"74956647732786126897531562992224477743",
"105583015490116811426482440640445579536"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-8811d578",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"file": "codemp/qcommon/files.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 852.0,
"function_hash": "307517336859937888752193736013725350359"
},
"signature_type": "Function",
"id": "CVE-2017-6903-9e4d9b1c",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"function": "Sys_LoadDll",
"file": "shared/sys/sys_main.cpp"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"94429772185782561203352939928102960614",
"36371185016152582182070514150874148734",
"244888153760604982882309629231966010684"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2017-6903-eba60622",
"source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
"target": {
"file": "shared/sys/sys_main.cpp"
}
}
]