Ioquake3 Pushes Out Important Security Update
All of those running ioquake3-powered games are encouraged to update their engine installation as soon as possible.
The developers behind this popular fork of the open-source id Tech 3 engine code have pushed a "large security fix" and all users are encouraged to upgrade prior to connecting to any online servers. Unfortunately, ioquake3 currently doesn't have any auto-update system to make it easy to roll out game engine updates.
The security fix is about not loading any DLLs that end with the PK3 extension, the container format used by the ioquake3 engine. This fix also is about not loading any user configuration files (such as autoexec.cfg or q3config.cfg) from PK3 container files. Obviously the DLL change is Windows-specific but the configuration file change would affect all supported platforms.
Any bad actors loading their own custom-crafted DLL files by posing as a PK3 container file for a game mod or so, could cause issues, as well as causing any issues by a specially crafted configuration file to load on the system. Confirmation of the importance of switching to the latest ioquake3 test build can be found by visiting ioquake3.org. Unfortunately with many ioquake3 games not being well maintained and the engine not having an auto-update system at this time, users will need to be vigilant.
The developers behind this popular fork of the open-source id Tech 3 engine code have pushed a "large security fix" and all users are encouraged to upgrade prior to connecting to any online servers. Unfortunately, ioquake3 currently doesn't have any auto-update system to make it easy to roll out game engine updates.
The security fix is about not loading any DLLs that end with the PK3 extension, the container format used by the ioquake3 engine. This fix also is about not loading any user configuration files (such as autoexec.cfg or q3config.cfg) from PK3 container files. Obviously the DLL change is Windows-specific but the configuration file change would affect all supported platforms.
Any bad actors loading their own custom-crafted DLL files by posing as a PK3 container file for a game mod or so, could cause issues, as well as causing any issues by a specially crafted configuration file to load on the system. Confirmation of the importance of switching to the latest ioquake3 test build can be found by visiting ioquake3.org. Unfortunately with many ioquake3 games not being well maintained and the engine not having an auto-update system at this time, users will need to be vigilant.
3 Comments