CVE-2006-3325
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus
Quake 3 Engine (ioquake3) revision 810 and earlier allows remote
malicious servers to overwrite arbitrary write-protected cvars
variables on the client, such as cl_allowdownload for Automatic
Downloading and fs_homepath for the quake3 path, via a string of cvar
names and values sent from the server. NOTE: this can be combined with
another vulnerability to overwrite arbitrary files.
Luigi Auriemma q3cfilevar
from Thilo Schulz in ioquake3
svn 811 git 7d51d75b05a9593508040162709043516c0f2a17
- Fix arbitrary cvar overwrite flaw: http://aluigi.altervista.org/adv.htm
CVE-2005-0984
Buffer overflow in the G_Printf function in Star Wars Jedi Knight:
Jedi Academy 1.011 and earlier allows remote attackers to execute
arbitrary code via a long message using commands such as (1) say and
(2) tell.
Luigi Auriemma jamsgbof
CVE-2006-2236
Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60,
(2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b
allows remote attackers to execute arbitrary commands via a long
remapShader command.
from Thilo Schulz in ioquake3
svn 765 git d21411452ef32b86c0b79ddcaf49221701dcdb07
Add string length checking to function COM_StripExtension. This fixes
the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
CVE-2005-0430
The Quake 3 engine, as used in multiple game packages, allows remote
attackers to cause a denial of service (shutdown game server) and
possibly crash the server via a long infostring, possibly triggering a
buffer overflow.
Luigi Auriemma q3infoboom
from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101
It looks as if the q3infoboom bug has already been fixed in ioQ3 in a
different way, though this patch addresses the cause. The existing fix
should stay since it's a sensible sanity check anyway.
from http://www.quakesrc.org/forums/viewtopic.php?t=5374
