Important Security Update: Please Update ioquake3 Immediately

Please immediately update ioquake3 to the latest test build before you connect to any online servers. Despite the name, the test builds are in fact way more stable and secure than any release at this time.

In doing so you’ll also receive access to all kinds of other updates and changes that we’ve made since you last installed ioquake3.

Here’s the why:

We recently pushed  a large security fix that prevents malicious actions from multiplayer servers.

Please share this news with any other Quake 3 players you know. It’s on Facebook and Twitter as well. These kinds of exploits are even worse in the regular Quake 3 client, nobody should be using that anymore.

Our Player’s Guide can help new Quake 3 players get started with ioquake3.

Ideally, we would distribute these security fixes automatically, similar to the way browsers like Chrome and Firefox distribute updates. Games on consoles, or in Steam, require updates in order to go online and happen automatically now. This way, we could distribute an update first so that nobody who is online is vulnerable in an ideal scenario.

Right now we don’t have anyone working on that issue, if you are interested in helping us with an auto-update system to be built into our launcher, get in touch.

Until then, please update your test build as often as you can to get the latest security changes.

ioquake3 is an all-volunteer project that needs your help. Check out this page if you’d like to join us in our mission to keep Quake 3 alive.

Our thanks to Victor Roemer for reporting the vulnerability.

If you find a security vulnerability, please e-mail

CVE-2012-3345 symlink attack in ioquake3 >= r1773

ioquake3 [IOQ] is a fork of the Quake III Arena (id Tech 3) game engine,
and has become the de facto upstream for that engine since id Software
ceased to develop it. It is also used (unmodified, modified or forked)
in various open-source and proprietary games including OpenArena [OA],
Reaction [REA], Smokin’ Guns [SGN], Tremulous [TREM], Turtle Arena [TA],
Urban Terror [URT] and World of Padman [WOP].
Access vector: local
Authentication required: local system
Impact: overwrite a file owned by the victim with a predictable integer
Since svn revision 1773, ioquake3 has written its process ID to the file
/tmp/ (or in a world-writeable location) under the
following circumstances:
* running on non-Mac Unix and TMPDIR not set, or set to a
world-writeable location; or
* running on Mac OS and FSFindFolder() for a temporary directory fails
or returns a world-writeable location
On a multi-user system, an attacker could create a symbolic link
/tmp/ pointing to any file owned by a user who plays an
ioquake3-based game. When the victim runs ioquake3, the target file will
be overwritten and replaced with the process ID of ioquake3.
The effect of this attack depends on the file being overwritten: it
could be simple vandalism (destroy one of the victim’s files), or it
could have further security implications if knowledge of the contents of
a target file is used for authentication (in a system similar to
pam_dotfile [DOT], for instance).
For the dedicated server, the process ID is written to,
but the attack is essentially the same. For forks of ioquake3, the
filename will typically include the name of the fork, e.g.
Affected versions
* ioquake3 >= svn r1773
* ioquake3 < svn r2253
* OpenArena 0.8.8
* Reaction beta 1.0
* Smokin’ Guns 1.1
* Tremulous “trunk” >= svn r2125
* Tremulous “gpp” >= svn r2140
* Turtle Arena >= svn r204 (all releases named Turtle Arena)
* World of Padman >= 1.5.2 beta
Unaffected versions
* ioquake3 1.36
* ioquake3 <= svn r1772
* ioquake3 >= svn r2253
* OpenArena <= 0.8.5
* Smokin’ Guns <= 1.1b4
* Tremulous “trunk” <= svn r2124
* Tremulous “gpp” <= svn r2139
* Tremulous GPP1
* Tremulous <= 1.1.0
* Turtle Arena <= svn r203
* TMNT Arena 20091211 (former name of Turtle Arena)
* ioUrbanTerror 2007-12-20 client
* ioUrbanTerror 2007-12-20 server
* World of Padman <= 1.5.0
The attached patches have been reviewed by two ioquake3 maintainers.
Please apply them to affected versions on or after the embargo date.
Patch 0001 fixes the vulnerability by writing the pid file into the
ioquake3 user’s home directory (e.g. ~/.q3a/ for an unmodified
engine with default configuration) instead of the temporary directory.
Patch 0002 is recommended, but not strictly necessary to fix the
vulnerability. It removes the functions to get the temporary directory,
as a precaution against other unsafe uses.