MidnightBSD

Advisories for id_software

CVE-1999-1229 LOW

Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_2_server *
CVE-1999-1230 MEDIUM

Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_2 *
CVE-1999-1502 HIGH

Buffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake 1.9
CVE-1999-1505 HIGH

Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quakeworld 2.10
CVE-1999-1569 MEDIUM

Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake 1.9
CVE-2000-0303 MEDIUM

Quake3 Arena allows malicious server operators to read or modify files on a client via a dot dot (..) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_arena 1.16n
CVE-2000-1080 MEDIUM

Quake 1 (quake1) and ProQuake 1.01 and earlier allow remote attackers to cause a denial of service via a malformed (empty) UDP packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake 1.9
j._p._grossman proquake 1.0
CVE-2001-1289 MEDIUM

Quake 3 arena 1.29f and 1.29g allows remote attackers to cause a denial of service (crash) via a malformed connection packet that begins with several char-255 characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_arena 1.29g
id_software quake_3_arena 1.29f
CVE-2002-0770 MEDIUM

Quake 2 (Q2) server 3.20 and 3.21 allows remote attackers to obtain sensitive server cvar variables, obtain directory listings, and execute Q2 server admin commands via a client that does not expand "$" macros, which causes the server to expand the macros and leak the information, as demonstrated using "say $rcon_password."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_2i_server 3.21
id_software quake_2i_server 3.20
CVE-2004-2592 MEDIUM

Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (application crash) via a modified client that asks the server to send data stored at a negative array offset, which is not handled when processing Configstrings and Baselines.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
id_software quake_ii_server 3.20
id_software quake_ii_server 3.21
CVE-2004-2593 HIGH

Buffer overflow in command-packet processing of Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a packet with a long cmd_args buffer.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_ii_server 3.20
id_software quake_ii_server 3.21
CVE-2004-2594 MEDIUM

Absolute path traversal vulnerability in Quake II server before R1Q2 on Windows, as used in multiple products, allows remote attackers to read arbitrary files via a "\/" in a pathname argument, as demonstrated by "download \/server.cfg".

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_ii_server_windows 3.20
id_software quake_ii_server_windows 3.21
CVE-2004-2595 MEDIUM

Absolute path traversal vulnerability in Quake II server before R1Q2 on Linux, as used in multiple products, allows remote attackers to cause a denial of service (application crash) via a download command with a full pathname for a directory in the argument, which causes the server to crash when it cannot read data.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_ii_server_linux 3.20
id_software quake_ii_server_linux 3.21
CVE-2004-2596 MEDIUM

Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (exhaustion of connection slots) via a large number of connections from the same IP address.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
id_software quake_ii_server 3.20
id_software quake_ii_server 3.21
CVE-2004-2597 MEDIUM

Quake II server before R1Q2, as used in multiple products, allows remote attackers to bypass IP-based access control rules via a userinfo string that already contains an "ip" key/value pair but is also long enough to cause a new key/value pair to be truncated, which interferes with the server's ability to find the client's IP address.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_ii_server 3.20
id_software quake_ii_server 3.21
CVE-2005-0430 MEDIUM

The Quake 3 engine, as used in multiple game packages, allows remote attackers to cause a denial of service (shutdown game server) and possibly crash the server via a long infostring, possibly triggering a buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_engine *
CVE-2005-0983 MEDIUM

Quake 3 engine, as used in multiple games, allows remote attackers to cause a denial of service (client disconnect) via a long message, which is not properly truncated and causes the engine to process the remaining data as if it were network data.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
activision call_of_duty 1.5b
raven_software soldier_of_fortune_2 1.0.3
activision call_of_duty_united_offensive 1.51b
id_software wolfenstein_enemy_territory 1.0.2
activision call_of_duty 1.4
id_software quake_3_arena_server 1.29g
lucasarts star_wars_jedi_knight_jedi_academy 1.0.11
activision call_of_duty_united_offensive 1.41
id_software quake_3_arena_server 1.29f
id_software quake_3_arena 1.1.7
activision return_to_castle_wolfenstein 1.1
raven_software soldier_of_fortune_2 1.0.2
id_software quake_3_arena 1.16
lucasarts star_wars_jedi_knight_ii_jedi_outcast 1.0.4
id_software quake_3_engine *
activision return_to_castle_wolfenstein 1.0
id_software quake_3_arena 1.31
id_software wolfenstein_enemy_territory 2.56
CVE-2006-2082 HIGH

Directory traversal vulnerability in Quake 3 engine, as used in products including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload cvar is enabled, allows remote attackers to read arbitrary files from the server via ".." sequences in a .pk3 file request.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_engine *
CVE-2006-2236 HIGH

Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60, (2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b allows remote attackers to execute arbitrary commands via a long remapShader command.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software return_to_castle_wolfenstein 1.41
id_software quake_3_engine 1.32b
id_software quake_3_arena 1.32b
id_software wolfenstein_enemy_territory 2.60
CVE-2006-2875 HIGH

Stack-based buffer overflow in the CL_ParseDownload function of Quake 3 Engine 1.32c and earlier, as used in multiple products, allows remote attackers to execute arbitrary code via a svc_download command with compressed data that triggers the overflow during expansion.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_engine *
CVE-2006-3324 MEDIUM

The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of filenames, as contained in the neededpaks buffer.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_engine icculus_804
id_software quake_3_engine 1.32b
id_software quake_3_engine icculus_803
id_software quake_3_engine 1.32c
id_software quake_3_engine *
CVE-2006-3325 MEDIUM

client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_engine icculus_804
id_software quake_3_engine icculus_810
id_software quake_3_engine 1.32b
id_software quake_3_engine icculus_806
id_software quake_3_engine icculus_803
id_software quake_3_engine icculus_808
id_software quake_3_engine icculus_805
id_software quake_3_engine icculus_809
id_software quake_3_engine 1.32c
id_software quake_3_engine *
id_software quake_3_engine icculus_807
CVE-2006-3400 HIGH

Stack-based buffer overflow in the CG_ServerCommand function in Quake 3 Engine as used by Soldier of Fortune 2 (SOF2MP) GOLD 1.03 allows remote attackers to cause a denial of service and possibly execute code by sending a long command from the server.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
id_software quake_3_engine 1.32b
id_software quake_3_engine 1.32c
id_software quake_3_engine icculus_812
raven_software soldier_of_fortune_2 1.03
CVE-2006-3401 HIGH

Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Arena 1.32b and 1.32c allows remote attackers to cause a denial of service and possibly execute code via long CS_ITEMS values.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
id_software quake_3_engine 1.32b
id_software quake_3_engine 1.32c
id_software quake_3_engine icculus_812