http://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ Looks like ioquake3 had a bug where pk3 files from remote servers could get loaded as libraries... This could mean un-elevated Remote code execution Commit where it is fixed. https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
I'm working on it.
A commit references this bug: Author: kami Date: Fri Apr 7 14:26:14 UTC 2017 New revision: 437926 URL: https://svnweb.freebsd.org/changeset/ports/437926 Log: security/vuxml: Add id Tech 3 remote code execution PR: 217911 Reviewed by: delphij, #ports_secteam Approved by: delphij, #ports_secteam Security: CVE-2017-6903 Differential Revision: https://reviews.freebsd.org/D10244 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: kami Date: Thu May 18 20:31:05 UTC 2017 New revision: 441198 URL: https://svnweb.freebsd.org/changeset/ports/441198 Log: games/ioquake3-devel: Remove in favour of ioquake3 Upstream requested us to point games/ioquake3 to github master, making this port obsolete. PR: 217911 Reviewed by: miwi Approved by: miwi (mentor) MFH: 2017Q2 Security: CVE-2017-6903 Security: e48355d7-1548-11e7-8611-0090f5f2f347 Differential Revision: https://reviews.freebsd.org/D10172 Changes: head/games/Makefile head/games/ioquake3-devel/ head/games/ioquake3-devel-server/
A commit references this bug: Author: kami Date: Thu May 18 20:59:00 UTC 2017 New revision: 441199 URL: https://svnweb.freebsd.org/changeset/ports/441199 Log: games/openarena: Fix CVE-2017-6903 - Backport fix based on patchset for urbanterror [1] [1] https://github.com/Barbatos/ioq3-for-UrbanTerror-4/pull/73 PR: 217911 Submitted by: miwi Approved by: miwi (mentor) MFH: 2017Q2 Security: CVE-2017-6903 Security: e48355d7-1548-11e7-8611-0090f5f2f347 Differential Revision: https://reviews.freebsd.org/D10176 Changes: head/games/openarena/Makefile head/games/openarena/files/patch-code_botlib_be__aas__route.c head/games/openarena/files/patch-code_client_cl__console.c head/games/openarena/files/patch-code_client_cl__curl.c head/games/openarena/files/patch-code_client_cl__parse.c head/games/openarena/files/patch-code_client_snd__openal.c head/games/openarena/files/patch-code_qcommon_common.c head/games/openarena/files/patch-code_qcommon_files.c head/games/openarena/files/patch-code_qcommon_q__shared.c head/games/openarena/files/patch-code_qcommon_qcommon.h head/games/openarena/files/patch-code_qcommon_vm__x86.c head/games/openarena/pkg-message
This is solved now?
^Triage: submitter timeout (> 1 year).
^Triage: Assign to committer that resolved