Commit graph

158 commits

Author SHA1 Message Date
Jonathan Gray
eec13dc1bf buffer overflow and format string bug in auth server response processing
from Ludwig Nussel in ioquake3
svn 1025 git 8ca8d845911fb6545bf723cade39944d874d01ea

fix buffer overflow and format string bug in auth server response
processing
2013-05-07 22:20:02 +10:00
Jonathan Gray
61687fff0c CVE-2011-2764/CVE-2011-3012 check for dangerous file extensions
CVE-2011-2764
The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the
ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin'
Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly
determine dangerous file extensions, which allows remote attackers to
execute arbitrary code via a crafted third-party addon that creates a
Trojan horse DLL file.

CVE-2011-3012
The ioQuake3 engine, as used in World of Padman 1.2 and earlier,
Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for
dangerous file extensions before writing to the quake3 directory, which
allows remote attackers to execute arbitrary code via a crafted
third-party addon that creates a Trojan horse DLL file, a different
vulnerability than CVE-2011-2764.

bugzilla #3695

from Tim Angus in ioquake3
svn 1405 git 2c0861c1cea44861c5ceba2dc39e601d6bc3f0af

* (bug 3695) Not allowing to write file with lib extention (.dll/.so/...)
  (TsT <tst2006@gmail.com>)

from Tim Angus in ioquake3
svn 1499 git 48d8c8876b6ec035b0bb85f4d3c47c9210c3ca30

* s/FS_FilenameIsExecutable/FS_CheckFilenameIsNotExecutable/g
* Fix potential buffer under run in FS_CheckFilenameIsNotExecutable

from Thilo Schulz in ioquake3
svn 2098 git c4f739b8d03ca203435744c4a96e3561863ccdfe

Fix extension name comparison for DLL files

from Zack Middleton in ioquake3
git 6c88bf8aeee3c1e5449682f874f91e86cb393ef4

Rename FS_CheckFilenameIsNotExecutable to ..NotImmutable

from Harley Laue in ioquake3
git 1b2a6abed996b43eb108486abbda449b3d16e019

Rename FS_CheckFilenameIsNotImmutable to ..IsMutable
2013-05-07 22:20:02 +10:00
Jonathan Gray
d64b393927 add DLL_EXT defines 2013-05-07 22:20:02 +10:00
Jonathan Gray
6e05e1552e CVE-2006-3401 Stack-based buffer overflow in CS_ITEMS
CVE-2006-3401
Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Arena
1.32b and 1.32c allows remote attackers to cause a denial of service and
possibly execute code via long CS_ITEMS values.

from Thilo Schulz in ioquake3
svn 813 git fc244c97ef1a5f1c6e7c1f46a098c8f57f271153

Fix critical buffer overflow in cgame, see exploit at
http://www.milw0rm.com/exploits/1977
2013-05-07 22:20:01 +10:00
Jonathan Gray
ac9e5f1f79 CVE-2006-3324 arbitary file overwrite
CVE-2006-3324
The Automatic Downloading option in the id3 Quake 3 Engine and the
Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote
attackers to overwrite arbitrary files in the quake3 directory
(fs_homepath cvar) via a long string of filenames, as contained in the
neededpaks buffer.

Luigi Auriemma q3cfilevar

from Thilo Schulz in ioquake3
svn 804 git 813a6ecdc3b8572796a8a85b260b03e1c3d87ef4

- Fix bug that allows a malicious server to write and overwrite any
  files in the quake3 directory.  Reported by Luigi Auriemma.
- Moved directory traversal check to a more proper location.
- Added a few sanity checks for checksum/pakname storage to fix a crash
  that can occur under certain circumstances.
2013-05-07 22:19:33 +10:00
Jonathan Gray
8550620849 CVE-2006-3325 arbitrary cvar overwrite
CVE-2006-3325
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus
Quake 3 Engine (ioquake3) revision 810 and earlier allows remote
malicious servers to overwrite arbitrary write-protected cvars
variables on the client, such as cl_allowdownload for Automatic
Downloading and fs_homepath for the quake3 path, via a string of cvar
names and values sent from the server. NOTE: this can be combined with
another vulnerability to overwrite arbitrary files.

Luigi Auriemma q3cfilevar

from Thilo Schulz in ioquake3
svn 811 git 7d51d75b05a9593508040162709043516c0f2a17

- Fix arbitrary cvar overwrite flaw: http://aluigi.altervista.org/adv.htm
2013-05-07 22:18:55 +10:00
Jonathan Gray
c0af0580aa CVE-2006-2875 Stack-based buffer overflow in CL_ParseDownload
CVE-2006-2875
Stack-based buffer overflow in the CL_ParseDownload function of Quake 3
Engine 1.32c and earlier, as used in multiple products, allows remote
attackers to execute arbitrary code via a svc_download command with
compressed data that triggers the overflow during expansion.

Luigi Auriemma q3cbof

from Thilo Schulz in ioquake3
svn 796 git 99abd01c2f5e1a181acb8623edceff10cd918751

Fix remotely exploitable parse download overflow reported by Luigi Auriemma.
See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
2013-05-07 22:18:45 +10:00
Jonathan Gray
ec595883ab vsprintf -> Q_vsnprintf 2013-05-07 22:18:45 +10:00
Jonathan Gray
518c81038f CVE-2005-0984 Buffer overflow in the G_Printf function
CVE-2005-0984
Buffer overflow in the G_Printf function in Star Wars Jedi Knight:
Jedi Academy 1.011 and earlier allows remote attackers to execute
arbitrary code via a long message using commands such as (1) say and
(2) tell.

Luigi Auriemma jamsgbof
2013-05-07 22:18:45 +10:00
Jonathan Gray
5ae4da05a7 Q_vsnprintf from ioquake3 2013-05-07 22:18:45 +10:00
Jonathan Gray
832b4342a8 CVE-2006-2236 Buffer overflow in the Quake 3 Engine
CVE-2006-2236
Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60,
(2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b
allows remote attackers to execute arbitrary commands via a long
remapShader command.

from Thilo Schulz in ioquake3
svn 765 git d21411452ef32b86c0b79ddcaf49221701dcdb07

Add string length checking to function COM_StripExtension. This fixes
the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
2013-05-07 22:18:45 +10:00
Jonathan Gray
85caaddab4 CVE-2006-2082 Directory traversal vulnerability in Quake 3 engine
CVE-2006-2082
Directory traversal vulnerability in Quake 3 engine, as used in products
including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy
Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload
cvar is enabled, allows remote attackers to read arbitrary files from
the server via ".." sequences in a .pk3 file request.

from Thilo Schulz in ioquake3
svn 777 git 60293f49ee8c665673202e80ecd103f13a9fa6ab

Fix bug that permits download of arbitrary files from a download enabled
server by checking requested file name against the list of loaded pk3
files. See CVE-2006-2082
2013-05-07 22:18:44 +10:00
Jonathan Gray
c9da283d84 add Cmd_TokenizeStringIgnoreQuotes modelled after ioquake3 2013-05-07 22:18:44 +10:00
Jonathan Gray
8349abd8bb Fixed some qboolean type confusion
note: cl_keys change not included as qboolean not abused unlike q3

from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101

Fixed some qboolean type confusion

from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2013-05-07 22:18:44 +10:00
Jonathan Gray
983705084a CVE-2005-0983 Fixed q3msgboom
CVE-2005-0983
Quake 3 engine, as used in multiple games, allows remote attackers to
cause a denial of service (client disconnect) via a long message, which
is not properly truncated and causes the engine to process the remaining
data as if it were network data.

Luigi Auriemma q3msgboom

from Tim Angus in ioquake
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101

Fixed q3msgboom

from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2013-05-07 22:18:44 +10:00
Jonathan Gray
14f42588a8 Fixed some missing calls to trap_FS_FCloseFile
from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101

Fixed some missing calls to trap_FS_FCloseFile

from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2013-05-07 22:18:44 +10:00
Jonathan Gray
1a40cbbe89 Fix to COM_ParseExt 1 byte overwrite bug
from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101

Fix to COM_ParseExt 1 byte overwrite bug

from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2013-05-07 22:18:44 +10:00
Jonathan Gray
fefad8e48c Fix to multiple buffer overflow bugs in CL_Rcon_f
from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101

Fix to multiple buffer overflow bugs in CL_Rcon_f

from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2013-05-07 22:18:44 +10:00
Jonathan Gray
8fc8601e0b CVE-2005-0430 Fixed q3infoboom
CVE-2005-0430
The Quake 3 engine, as used in multiple game packages, allows remote
attackers to cause a denial of service (shutdown game server) and
possibly crash the server via a long infostring, possibly triggering a
buffer overflow.

Luigi Auriemma q3infoboom

from Tim Angus in ioquake3
svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101

It looks as if the q3infoboom bug has already been fixed in ioQ3 in a
different way, though this patch addresses the cause. The existing fix
should stay since it's a sensible sanity check anyway.

from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2013-05-07 22:18:29 +10:00
Jonathan Gray
a6591f68df CVE-2005-0430 Remotely exploitable Infostring Crash
CVE-2005-0430
The Quake 3 engine, as used in multiple game packages, allows remote
attackers to cause a denial of service (shutdown game server) and
possibly crash the server via a long infostring, possibly triggering a
buffer overflow.

Luigi Auriemma q3infoboom
bugzilla #2356

from Thilo Schulz in ioquake3
svn 58 git 01da6d757bb3121c9ee077e7269eee7655abd05b

https://bugzilla.icculus.org/show_bug.cgi?id=2356
Remotely exploitable Infostring Crash
2013-05-07 22:17:57 +10:00
Zachary J. Slater
6902b84f94 Merge pull request #7 from jonathangray/warn
Clean up some warnings and remove the need for -fpermissive
2013-05-02 12:04:09 -07:00
Jonathan Gray
dfb45c84f6 make g_savegame.cpp build on amd64 without -fpermissive 2013-05-02 19:08:16 +10:00
Jonathan Gray
a3d6db9f5d set some possibly uninitialised vars to zero 2013-05-02 13:47:51 +10:00
Jonathan Gray
2a6c6cf358 disable some noisy and mostly harmless warnings 2013-05-02 13:47:51 +10:00
Jonathan Gray
624419334f const fixes 2013-05-02 13:47:51 +10:00
Jonathan Gray
804687385c avoid enum to int conversions 2013-05-02 13:47:50 +10:00
Jonathan Gray
6ae7218c21 remove the use of 'typedef enum' without an indentifier 2013-05-02 13:47:50 +10:00
Jonathan Gray
7d29fb84a5 remove surplus tokens after preprocessor directives 2013-05-02 13:47:50 +10:00
Jonathan Gray
42dd32771a set some possibly uninitialised vars to zero 2013-05-02 13:47:34 +10:00
Jonathan Gray
1a47ca7601 disable some noisy and mostly harmless warnings 2013-05-02 01:32:46 +10:00
Jonathan Gray
4074a53216 remove an uneeded extern decl that conflicts with an earlier one 2013-05-02 00:45:22 +10:00
Jonathan Gray
e95505989f const fixes 2013-05-02 00:45:16 +10:00
Jonathan Gray
178544362e avoid enum to int conversions 2013-05-01 23:47:33 +10:00
Jonathan Gray
88e6b70d0d remove the use of 'typedef enum' without an indentifier 2013-05-01 23:47:33 +10:00
Jonathan Gray
00934e804e remove surplus tokens after preprocessor directives 2013-05-01 23:47:32 +10:00
Zachary J. Slater
908d2f0880 Merge pull request #6 from jonathangray/sdl
add SDL glimp/input from ioquake3
2013-04-29 22:25:17 -07:00
Jonathan Gray
dad17e40f1 windowed mouse is fixed with sdl 2013-04-30 15:05:13 +10:00
Jonathan Gray
96fa13bbdb add sdl glimp/input from ioquake3 for MP 2013-04-30 15:02:26 +10:00
Jonathan Gray
8f7968cb9c add sdl glimp/input from ioquake3 for SP 2013-04-30 15:02:18 +10:00
Zachary J. Slater
788897fb1f Merge pull request #4 from jonathangray/mp_port
adapt multiplayer code to gcc/unix
2013-04-27 12:02:10 -07:00
Zachary J. Slater
e1ff5e35b1 Merge pull request #5 from jonathangray/amd64_fix
amd64 fix for CBlockStream/icarus
2013-04-27 12:01:35 -07:00
Jonathan Gray
b1bf1b1379 update readme for icarus fix 2013-04-27 21:39:12 +10:00
Jonathan Gray
721432a911 fix CBlockStream/icarus on amd64 2013-04-27 21:39:06 +10:00
Alexandre Blin
77295da1d9 Fixed error in .menu file parsing on Unix 2013-04-27 02:27:50 +10:00
Jonathan Gray
2ee20c7123 update the readme for multiplayer 2013-04-26 22:27:25 +10:00
Jonathan Gray
14b5c93ba1 avoid overflowing buffer with GL_EXTENSIONS, from ioquake3 2013-04-26 22:27:25 +10:00
Jonathan Gray
defd14bd3c shuffle some prototypes around to appease gcc 2013-04-26 22:27:24 +10:00
Jonathan Gray
15cc54b440 adjust to different scoping of variables declared in for loops 2013-04-26 22:27:24 +10:00
Jonathan Gray
a765a9a98e avoid extra qualification of function members 2013-04-26 22:27:24 +10:00
Jonathan Gray
ce76dab7de directly use time_t in botlib 2013-04-26 22:27:24 +10:00