BUG: security: remote code execution (RCE) bug in clients < 3.6.4

[namtsui]

@dsvensson posted a video revealing that there is a remote code execution bug in ktx and ezquake.

see: https://www.youtube.com/watch?v=fho21K9EOCk

The release notes (https://github.com/QW-Group/ezquake-source/releases/tag/3.6.4) does briefly mention: DOWNLOAD: Harmonize download filter (dsvensson). The description in the youtube video states, The 3.6.4 release uses the same filter as other types of downloads so that's one step in the right direction.

This was poorly handled. It is not clear from the release notes that there is a security concern at all. This would make it easier for downstream maintainers like @tdm4 and for users to understand that it is important to upgrade.

• What is this bug? Can a malicious server admin force a shared object file to download and execute arbitrary code as shown in the video?
• What versions of ezquake / mvdsv / ktx are affected by this bug?