CVE-2011-3012

Description

The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for dangerous file extensions before writing to the quake3 directory, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file, a different vulnerability than CVE-2011-2764.

How to fix CVE-2011-3012

To remediate CVE-2011-3012, upgrade the affected package to a fixed version below.

• Debian/ioquake3—upgrade to 1.36+svn1946-4 or later
• Debian/openarena—upgrade to 0.8.5-5+exp1 or later

Is CVE-2011-3012 being exploited?

Moderate — EPSS is 8.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• from 0, < 1.36+svn1946-4
• from 0, < 0.8.5-5+exp1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-3012