ezquake-source
ezquake-source copied to clipboard
BUG: security: remote code execution (RCE) bug in clients < 3.6.4
@dsvensson posted a video revealing that there is a remote code execution bug in ktx and ezquake.
see: https://www.youtube.com/watch?v=fho21K9EOCk
The release notes (https://github.com/QW-Group/ezquake-source/releases/tag/3.6.4) does briefly mention: DOWNLOAD: Harmonize download filter (dsvensson)
. The description in the youtube video states, The 3.6.4 release uses the same filter as other types of downloads so that's one step in the right direction
.
This was poorly handled. It is not clear from the release notes that there is a security concern at all. This would make it easier for downstream maintainers like @tdm4 and for users to understand that it is important to upgrade.
- What is this bug? Can a malicious server admin force a shared object file to download and execute arbitrary code as shown in the video?
- What versions of ezquake / mvdsv / ktx are affected by this bug?