Commit graph

24 commits

Author SHA1 Message Date
Jonathan Gray
61687fff0c CVE-2011-2764/CVE-2011-3012 check for dangerous file extensions
CVE-2011-2764
The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the
ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin'
Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly
determine dangerous file extensions, which allows remote attackers to
execute arbitrary code via a crafted third-party addon that creates a
Trojan horse DLL file.

CVE-2011-3012
The ioQuake3 engine, as used in World of Padman 1.2 and earlier,
Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for
dangerous file extensions before writing to the quake3 directory, which
allows remote attackers to execute arbitrary code via a crafted
third-party addon that creates a Trojan horse DLL file, a different
vulnerability than CVE-2011-2764.

bugzilla #3695

from Tim Angus in ioquake3
svn 1405 git 2c0861c1cea44861c5ceba2dc39e601d6bc3f0af

* (bug 3695) Not allowing to write file with lib extention (.dll/.so/...)
  (TsT <tst2006@gmail.com>)

from Tim Angus in ioquake3
svn 1499 git 48d8c8876b6ec035b0bb85f4d3c47c9210c3ca30

* s/FS_FilenameIsExecutable/FS_CheckFilenameIsNotExecutable/g
* Fix potential buffer under run in FS_CheckFilenameIsNotExecutable

from Thilo Schulz in ioquake3
svn 2098 git c4f739b8d03ca203435744c4a96e3561863ccdfe

Fix extension name comparison for DLL files

from Zack Middleton in ioquake3
git 6c88bf8aeee3c1e5449682f874f91e86cb393ef4

Rename FS_CheckFilenameIsNotExecutable to ..NotImmutable

from Harley Laue in ioquake3
git 1b2a6abed996b43eb108486abbda449b3d16e019

Rename FS_CheckFilenameIsNotImmutable to ..IsMutable
2013-05-07 22:20:02 +10:00
Jonathan Gray
8550620849 CVE-2006-3325 arbitrary cvar overwrite
CVE-2006-3325
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus
Quake 3 Engine (ioquake3) revision 810 and earlier allows remote
malicious servers to overwrite arbitrary write-protected cvars
variables on the client, such as cl_allowdownload for Automatic
Downloading and fs_homepath for the quake3 path, via a string of cvar
names and values sent from the server. NOTE: this can be combined with
another vulnerability to overwrite arbitrary files.

Luigi Auriemma q3cfilevar

from Thilo Schulz in ioquake3
svn 811 git 7d51d75b05a9593508040162709043516c0f2a17

- Fix arbitrary cvar overwrite flaw: http://aluigi.altervista.org/adv.htm
2013-05-07 22:18:55 +10:00
Jonathan Gray
c0af0580aa CVE-2006-2875 Stack-based buffer overflow in CL_ParseDownload
CVE-2006-2875
Stack-based buffer overflow in the CL_ParseDownload function of Quake 3
Engine 1.32c and earlier, as used in multiple products, allows remote
attackers to execute arbitrary code via a svc_download command with
compressed data that triggers the overflow during expansion.

Luigi Auriemma q3cbof

from Thilo Schulz in ioquake3
svn 796 git 99abd01c2f5e1a181acb8623edceff10cd918751

Fix remotely exploitable parse download overflow reported by Luigi Auriemma.
See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
2013-05-07 22:18:45 +10:00
Jonathan Gray
ec595883ab vsprintf -> Q_vsnprintf 2013-05-07 22:18:45 +10:00
Jonathan Gray
832b4342a8 CVE-2006-2236 Buffer overflow in the Quake 3 Engine
CVE-2006-2236
Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60,
(2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b
allows remote attackers to execute arbitrary commands via a long
remapShader command.

from Thilo Schulz in ioquake3
svn 765 git d21411452ef32b86c0b79ddcaf49221701dcdb07

Add string length checking to function COM_StripExtension. This fixes
the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
2013-05-07 22:18:45 +10:00
Jonathan Gray
fefad8e48c Fix to multiple buffer overflow bugs in CL_Rcon_f
from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101

Fix to multiple buffer overflow bugs in CL_Rcon_f

from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2013-05-07 22:18:44 +10:00
Jonathan Gray
624419334f const fixes 2013-05-02 13:47:51 +10:00
Jonathan Gray
96fa13bbdb add sdl glimp/input from ioquake3 for MP 2013-04-30 15:02:26 +10:00
Jonathan Gray
15cc54b440 adjust to different scoping of variables declared in for loops 2013-04-26 22:27:24 +10:00
Jonathan Gray
a765a9a98e avoid extra qualification of function members 2013-04-26 22:27:24 +10:00
Jonathan Gray
f820286f06 opt out of more masm assembly 2013-04-25 23:51:56 +10:00
Jonathan Gray
5c941d29f1 strnicmp -> Q_strnicmp 2013-04-25 23:51:56 +10:00
Jonathan Gray
901d5acb51 stricmp -> Q_stricmp 2013-04-25 23:51:55 +10:00
Jonathan Gray
e5e1251df8 make the openal code compile without eax and enable it by default 2013-04-25 23:51:55 +10:00
Jonathan Gray
46c9f91703 strlwr -> Q_strlwr 2013-04-25 23:51:54 +10:00
Jonathan Gray
3b0e200e4f add some casts so gcc can pick an overloaded abs/max/min func 2013-04-25 23:51:53 +10:00
Jonathan Gray
1625e229c9 provide a gcc style alternative to the inline asm in FxPrimitives 2013-04-25 23:51:53 +10:00
Jonathan Gray
ac358477fd rename _X to avoid a collision with ctype.h 2013-04-25 23:51:53 +10:00
Jonathan Gray
2d66eb2b2b fix #includes to compile on non windows without pch 2013-04-25 23:51:46 +10:00
Jonathan Gray
bd47e42e0e fix slashes in include paths 2013-04-23 15:40:23 +10:00
Jonathan Gray
039ef2cb4a ditch dos style newlines 2013-04-23 15:21:39 +10:00
Josh Vega
107cd7a531 Deleted all the Visual SourceSafe files. 2013-04-06 20:59:34 -04:00
James Monroe
59f7e71450 Jedi Academy Patch 1.01 2013-04-04 18:21:13 -05:00
James Monroe
684d1bcb3b Jedi Academy Release 2013-04-04 17:35:38 -05:00