from Jochen Leopold:
Fixed dclose problems (stuck in level 4)
* UNIQUE symbols in jk2gamex86.so don't allow to unload the library on map changes!
** so all global variables are not reseted -> this causes many bugs (stuck on start of level 4 for example)
* removed one "inline" attribute which fixes this bug
** there is just a GLIBCXX unique symbol left: readelf -Ws ./jk2gamex86.so | grep UNIQUE
bugzilla #4753
from Eugene C. in ioquake3
svn 1801 git a4327ef965fa6b8f4103f71ea4a7ae00f1fd97bc
Bugzilla #4753
Potential buffer overflow in UpdateTournamentInfo()
bugzilla #4669
from Eugene C. in ioquake3
svn 1788 git 3ff266637578b9727ddee84e966214dd5dc51f04
Fix buffer overflow, report and patch by Eugene C. (#4669)
Luigi Auriemma q3cbufexec
from Ludwig Nussel in ioquake3
svn 1493 git f5aae78481d71307a0b874b1f17ecdead1469392
security fix: prevent command injection via callvote
from Thilo Schulz in ioquake3
svn 1838 git cf791d14c58f536eec8220d93fb9af443f8837e9
- Fix bug #4769 remote server crash
from Ludwig Nussel in ioquake3
svn 1492 git cde5fcfb9b09323c553e446988a056f7ad1cc4b0
fix overflow in CG_ParseTeamInfo
based on patch for Tremulous, thanks to Roman Tetelman
from Ludwig Nussel in ioquake3
svn 1025 git 8ca8d845911fb6545bf723cade39944d874d01ea
fix buffer overflow and format string bug in auth server response
processing
CVE-2011-2764
The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the
ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin'
Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly
determine dangerous file extensions, which allows remote attackers to
execute arbitrary code via a crafted third-party addon that creates a
Trojan horse DLL file.
CVE-2011-3012
The ioQuake3 engine, as used in World of Padman 1.2 and earlier,
Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for
dangerous file extensions before writing to the quake3 directory, which
allows remote attackers to execute arbitrary code via a crafted
third-party addon that creates a Trojan horse DLL file, a different
vulnerability than CVE-2011-2764.
bugzilla #3695
from Tim Angus in ioquake3
svn 1405 git 2c0861c1cea44861c5ceba2dc39e601d6bc3f0af
* (bug 3695) Not allowing to write file with lib extention (.dll/.so/...)
(TsT <tst2006@gmail.com>)
from Tim Angus in ioquake3
svn 1499 git 48d8c8876b6ec035b0bb85f4d3c47c9210c3ca30
* s/FS_FilenameIsExecutable/FS_CheckFilenameIsNotExecutable/g
* Fix potential buffer under run in FS_CheckFilenameIsNotExecutable
from Thilo Schulz in ioquake3
svn 2098 git c4f739b8d03ca203435744c4a96e3561863ccdfe
Fix extension name comparison for DLL files
from Zack Middleton in ioquake3
git 6c88bf8aeee3c1e5449682f874f91e86cb393ef4
Rename FS_CheckFilenameIsNotExecutable to ..NotImmutable
from Harley Laue in ioquake3
git 1b2a6abed996b43eb108486abbda449b3d16e019
Rename FS_CheckFilenameIsNotImmutable to ..IsMutable
CVE-2006-3401
Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Arena
1.32b and 1.32c allows remote attackers to cause a denial of service and
possibly execute code via long CS_ITEMS values.
from Thilo Schulz in ioquake3
svn 813 git fc244c97ef1a5f1c6e7c1f46a098c8f57f271153
Fix critical buffer overflow in cgame, see exploit at
http://www.milw0rm.com/exploits/1977
CVE-2006-3324
The Automatic Downloading option in the id3 Quake 3 Engine and the
Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote
attackers to overwrite arbitrary files in the quake3 directory
(fs_homepath cvar) via a long string of filenames, as contained in the
neededpaks buffer.
Luigi Auriemma q3cfilevar
from Thilo Schulz in ioquake3
svn 804 git 813a6ecdc3b8572796a8a85b260b03e1c3d87ef4
- Fix bug that allows a malicious server to write and overwrite any
files in the quake3 directory. Reported by Luigi Auriemma.
- Moved directory traversal check to a more proper location.
- Added a few sanity checks for checksum/pakname storage to fix a crash
that can occur under certain circumstances.
CVE-2006-3325
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus
Quake 3 Engine (ioquake3) revision 810 and earlier allows remote
malicious servers to overwrite arbitrary write-protected cvars
variables on the client, such as cl_allowdownload for Automatic
Downloading and fs_homepath for the quake3 path, via a string of cvar
names and values sent from the server. NOTE: this can be combined with
another vulnerability to overwrite arbitrary files.
Luigi Auriemma q3cfilevar
from Thilo Schulz in ioquake3
svn 811 git 7d51d75b05a9593508040162709043516c0f2a17
- Fix arbitrary cvar overwrite flaw: http://aluigi.altervista.org/adv.htm
CVE-2006-2875
Stack-based buffer overflow in the CL_ParseDownload function of Quake 3
Engine 1.32c and earlier, as used in multiple products, allows remote
attackers to execute arbitrary code via a svc_download command with
compressed data that triggers the overflow during expansion.
Luigi Auriemma q3cbof
from Thilo Schulz in ioquake3
svn 796 git 99abd01c2f5e1a181acb8623edceff10cd918751
Fix remotely exploitable parse download overflow reported by Luigi Auriemma.
See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
CVE-2005-0984
Buffer overflow in the G_Printf function in Star Wars Jedi Knight:
Jedi Academy 1.011 and earlier allows remote attackers to execute
arbitrary code via a long message using commands such as (1) say and
(2) tell.
Luigi Auriemma jamsgbof
CVE-2006-2236
Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60,
(2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b
allows remote attackers to execute arbitrary commands via a long
remapShader command.
from Thilo Schulz in ioquake3
svn 765 git d21411452ef32b86c0b79ddcaf49221701dcdb07
Add string length checking to function COM_StripExtension. This fixes
the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
CVE-2006-2082
Directory traversal vulnerability in Quake 3 engine, as used in products
including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy
Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload
cvar is enabled, allows remote attackers to read arbitrary files from
the server via ".." sequences in a .pk3 file request.
from Thilo Schulz in ioquake3
svn 777 git 60293f49ee8c665673202e80ecd103f13a9fa6ab
Fix bug that permits download of arbitrary files from a download enabled
server by checking requested file name against the list of loaded pk3
files. See CVE-2006-2082
note: cl_keys change not included as qboolean not abused unlike q3
from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101
Fixed some qboolean type confusion
from http://www.quakesrc.org/forums/viewtopic.php?t=5374
CVE-2005-0983
Quake 3 engine, as used in multiple games, allows remote attackers to
cause a denial of service (client disconnect) via a long message, which
is not properly truncated and causes the engine to process the remaining
data as if it were network data.
Luigi Auriemma q3msgboom
from Tim Angus in ioquake
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101
Fixed q3msgboom
from http://www.quakesrc.org/forums/viewtopic.php?t=5374
CVE-2005-0430
The Quake 3 engine, as used in multiple game packages, allows remote
attackers to cause a denial of service (shutdown game server) and
possibly crash the server via a long infostring, possibly triggering a
buffer overflow.
Luigi Auriemma q3infoboom
from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101
It looks as if the q3infoboom bug has already been fixed in ioQ3 in a
different way, though this patch addresses the cause. The existing fix
should stay since it's a sensible sanity check anyway.
from http://www.quakesrc.org/forums/viewtopic.php?t=5374
CVE-2005-0430
The Quake 3 engine, as used in multiple game packages, allows remote
attackers to cause a denial of service (shutdown game server) and
possibly crash the server via a long infostring, possibly triggering a
buffer overflow.
Luigi Auriemma q3infoboom
bugzilla #2356
from Thilo Schulz in ioquake3
svn 58 git 01da6d757bb3121c9ee077e7269eee7655abd05b
https://bugzilla.icculus.org/show_bug.cgi?id=2356
Remotely exploitable Infostring Crash
