CVE-2006-3325
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus
Quake 3 Engine (ioquake3) revision 810 and earlier allows remote
malicious servers to overwrite arbitrary write-protected cvars
variables on the client, such as cl_allowdownload for Automatic
Downloading and fs_homepath for the quake3 path, via a string of cvar
names and values sent from the server. NOTE: this can be combined with
another vulnerability to overwrite arbitrary files.
Luigi Auriemma q3cfilevar
from Thilo Schulz in ioquake3
svn 811 git 7d51d75b05a9593508040162709043516c0f2a17
- Fix arbitrary cvar overwrite flaw: http://aluigi.altervista.org/adv.htm
CVE-2006-2875
Stack-based buffer overflow in the CL_ParseDownload function of Quake 3
Engine 1.32c and earlier, as used in multiple products, allows remote
attackers to execute arbitrary code via a svc_download command with
compressed data that triggers the overflow during expansion.
Luigi Auriemma q3cbof
from Thilo Schulz in ioquake3
svn 796 git 99abd01c2f5e1a181acb8623edceff10cd918751
Fix remotely exploitable parse download overflow reported by Luigi Auriemma.
See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
CVE-2006-2236
Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60,
(2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b
allows remote attackers to execute arbitrary commands via a long
remapShader command.
from Thilo Schulz in ioquake3
svn 765 git d21411452ef32b86c0b79ddcaf49221701dcdb07
Add string length checking to function COM_StripExtension. This fixes
the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
