CVE-2006-3324
The Automatic Downloading option in the id3 Quake 3 Engine and the
Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote
attackers to overwrite arbitrary files in the quake3 directory
(fs_homepath cvar) via a long string of filenames, as contained in the
neededpaks buffer.
Luigi Auriemma q3cfilevar
from Thilo Schulz in ioquake3
svn 804 git 813a6ecdc3b8572796a8a85b260b03e1c3d87ef4
- Fix bug that allows a malicious server to write and overwrite any
files in the quake3 directory. Reported by Luigi Auriemma.
- Moved directory traversal check to a more proper location.
- Added a few sanity checks for checksum/pakname storage to fix a crash
that can occur under certain circumstances.
CVE-2006-3325
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus
Quake 3 Engine (ioquake3) revision 810 and earlier allows remote
malicious servers to overwrite arbitrary write-protected cvars
variables on the client, such as cl_allowdownload for Automatic
Downloading and fs_homepath for the quake3 path, via a string of cvar
names and values sent from the server. NOTE: this can be combined with
another vulnerability to overwrite arbitrary files.
Luigi Auriemma q3cfilevar
from Thilo Schulz in ioquake3
svn 811 git 7d51d75b05a9593508040162709043516c0f2a17
- Fix arbitrary cvar overwrite flaw: http://aluigi.altervista.org/adv.htm
