{"id":"UBUNTU-CVE-2011-3012","details":"The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for dangerous file extensions before writing to the quake3 directory, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file, a different vulnerability than CVE-2011-2764.","modified":"2026-05-20T16:03:04.319526224Z","published":"2011-08-09T20:55:00Z","upstream":["CVE-2011-3012"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2011-3012"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2011-3012"}],"affected":[{"package":{"name":"ioquake3","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/ioquake3?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.36+u20150710+dfsg1-1","1.36+u20150926+dfsg1-1","1.36+u20151017+dfsg1-1","1.36+u20160122+dfsg1-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.36+u20160122+dfsg1-1","binary_name":"ioquake3"},{"binary_version":"1.36+u20160122+dfsg1-1","binary_name":"ioquake3-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-3012.json"}},{"package":{"name":"ioquake3","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/ioquake3?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.36+u20170803+dfsg1-1","1.36+u20171016~dfsg-1","1.36+u20171122~dfsg-1","1.36+u20171216~dfsg-1","1.36+u20180108~dfsg-2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.36+u20180108~dfsg-2","binary_name":"ioquake3"},{"binary_version":"1.36+u20180108~dfsg-2","binary_name":"ioquake3-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-3012.json"}},{"package":{"name":"ioquake3","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/ioquake3?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.36+u20190529.350b8f9~dfsg-2","1.36+u20191029.dc0c3e7~dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.36+u20191029.dc0c3e7~dfsg-1","binary_name":"ioquake3"},{"binary_version":"1.36+u20191029.dc0c3e7~dfsg-1","binary_name":"ioquake3-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-3012.json"}},{"package":{"name":"ioquake3","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/ioquake3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.36+u20201117.d1b7ab6~dfsg-1","1.36+u20210927.2678080~dfsg-1","1.36+u20211208.84daa28~dfsg-1","1.36+u20220205.c0f2964~dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.36+u20220205.c0f2964~dfsg-1","binary_name":"ioquake3"},{"binary_version":"1.36+u20220205.c0f2964~dfsg-1","binary_name":"ioquake3-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-3012.json"}},{"package":{"name":"ioquake3","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/ioquake3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.36+u20230706.10a45cb+dfsg-1","1.36+u20230819.b1e6ef1+dfsg-1","1.36+u20231123.972635e+dfsg-1","1.36+u20240217.7d711f8+dfsg-1","1.36+u20240217.7d711f8+dfsg-1build1","1.36+u20240217.7d711f8+dfsg-1build2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.36+u20240217.7d711f8+dfsg-1build2","binary_name":"ioquake3"},{"binary_version":"1.36+u20240217.7d711f8+dfsg-1build2","binary_name":"ioquake3-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-3012.json"}},{"package":{"name":"ioquake3","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/ioquake3?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.36+u20241011.cc18246+dfsg-1","1.36+u20250316.526edd3+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.36+u20250316.526edd3+dfsg-1","binary_name":"ioquake3"},{"binary_version":"1.36+u20250316.526edd3+dfsg-1","binary_name":"ioquake3-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-3012.json"}},{"package":{"name":"ioquake3","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/ioquake3?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.36+u20250316.526edd3+dfsg-1","1.36+u20251029.a553ad1+dfsg-1","1.36+u20251111.fcde284+dfsg-1","1.36+u20251206.e29c74e1+dfsg-1","1.36+u20251228.3ef30e75+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.36+u20251228.3ef30e75+dfsg-1","binary_name":"ioquake3"},{"binary_version":"1.36+u20251228.3ef30e75+dfsg-1","binary_name":"ioquake3-server"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2011/UBUNTU-CVE-2011-3012.json"}}],"schema_version":"1.7.5","severity":[{"type":"Ubuntu","score":"medium"}]}