CVE-2017-6903

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-6903
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-6903.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-6903
Downstream
Published
2017-03-14T22:59:01.257Z
Modified
2026-02-10T15:36:48.956055Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.

References

Affected packages

Git / github.com/jacoders/openjk

Affected ranges

Type
GIT
Repo
https://github.com/jacoders/openjk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7

Database specific

vanir_signatures 
[
    {
        "signature_type": "Line",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "176362247248493069422101516371169951570",
                "267743225602174175210512269135232414219",
                "149484764009180056304798543936734922627",
                "112841397247012668160545621642561799636"
            ]
        },
        "target": {
            "file": "code/client/cl_main.cpp"
        },
        "id": "CVE-2017-6903-10fe7e30",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "function_hash": "21717297228256682207168278021669653075",
            "length": 3929.0
        },
        "target": {
            "file": "code/qcommon/files.cpp",
            "function": "FS_FOpenFileRead"
        },
        "id": "CVE-2017-6903-2a854892",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "function_hash": "171830328816457079678893941363564908891",
            "length": 4183.0
        },
        "target": {
            "file": "codemp/client/cl_main.cpp",
            "function": "CL_InitRef"
        },
        "id": "CVE-2017-6903-2b2a9b34",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "function_hash": "228464392829941795499046325725772817366",
            "length": 6018.0
        },
        "target": {
            "file": "codemp/qcommon/files.cpp",
            "function": "FS_FOpenFileRead"
        },
        "id": "CVE-2017-6903-4a11f7de",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "76972429868907647277322864546424387787",
                "135900126143763696843836366225127710621",
                "84169591344931215290542809132917999758",
                "305410307407996548726190620213737600060"
            ]
        },
        "target": {
            "file": "codemp/client/cl_main.cpp"
        },
        "id": "CVE-2017-6903-5207caa8",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "230702606391216961425893672221132859074",
                "48004005832872369478089860808665847304",
                "275361879548646342632536387300084247853",
                "164459692824696009525816482141557980916",
                "114236728334692188271241945888429475181",
                "149223279290409101457464800093122008963",
                "176649776652894245216153619615637937906",
                "226259492753484702418955351779669077678",
                "184604716061794457271090405309916149257",
                "101358975300933600782668063351135413135"
            ]
        },
        "target": {
            "file": "code/qcommon/files.cpp"
        },
        "id": "CVE-2017-6903-53fe70a0",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "function_hash": "150614883363422383749233276026177610561",
            "length": 3524.0
        },
        "target": {
            "file": "code/client/cl_main.cpp",
            "function": "CL_InitRef"
        },
        "id": "CVE-2017-6903-5d82717e",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "108233028480356438228347252172072792281",
                "164005218921620612686061964053405067848",
                "264354895932889420101670009641660818263",
                "85465224602989743850470928772669214363",
                "164459692824696009525816482141557980916",
                "114236728334692188271241945888429475181",
                "149223279290409101457464800093122008963",
                "52808737768768176148949751824536742319",
                "74956647732786126897531562992224477743",
                "105583015490116811426482440640445579536"
            ]
        },
        "target": {
            "file": "codemp/qcommon/files.cpp"
        },
        "id": "CVE-2017-6903-8811d578",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "function_hash": "307517336859937888752193736013725350359",
            "length": 852.0
        },
        "target": {
            "file": "shared/sys/sys_main.cpp",
            "function": "Sys_LoadDll"
        },
        "id": "CVE-2017-6903-9e4d9b1c",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/jacoders/openjk/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "94429772185782561203352939928102960614",
                "36371185016152582182070514150874148734",
                "244888153760604982882309629231966010684"
            ]
        },
        "target": {
            "file": "shared/sys/sys_main.cpp"
        },
        "id": "CVE-2017-6903-eba60622",
        "deprecated": false,
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-6903.json"