Ioquake3 Pushes Out Important Security Update

Written by Michael Larabel in Linux Gaming on 13 March 2017 at 09:17 PM EDT. 3 Comments
LINUX GAMING
All of those running ioquake3-powered games are encouraged to update their engine installation as soon as possible.

The developers behind this popular fork of the open-source id Tech 3 engine code have pushed a "large security fix" and all users are encouraged to upgrade prior to connecting to any online servers. Unfortunately, ioquake3 currently doesn't have any auto-update system to make it easy to roll out game engine updates.

The security fix is about not loading any DLLs that end with the PK3 extension, the container format used by the ioquake3 engine. This fix also is about not loading any user configuration files (such as autoexec.cfg or q3config.cfg) from PK3 container files. Obviously the DLL change is Windows-specific but the configuration file change would affect all supported platforms.

Any bad actors loading their own custom-crafted DLL files by posing as a PK3 container file for a game mod or so, could cause issues, as well as causing any issues by a specially crafted configuration file to load on the system. Confirmation of the importance of switching to the latest ioquake3 test build can be found by visiting ioquake3.org. Unfortunately with many ioquake3 games not being well maintained and the engine not having an auto-update system at this time, users will need to be vigilant.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week