Quake 3 is a popular online first person shooter developed by IDsoftware  that has been released in 1999 and is still widely played. Additionally, a lot of vendors have licensed the Quake3 engine for their games. A few noteworthy examples include:
======================================== Issue #1:
Remotely exploitable COM_StripExtension buffer overflow in client allows execution of arbitrary code. ========================================
This bug is also known as the "remapShader" bug discovered by landser who recently published a PoC opening a remote shell on vulnerable Linux clients at milw0rm.com 
details The COM_StripExtension routine copies a given filename chopping the suffix into another given buffer without checking the length of that buffer. R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64 bytes length for the copy. Servers can make the client execute R_RemapShader() by sending a "remapShader" command with too long arguments that will result in an overflowed buffer.
affected OS All operating systems suffer from the bug.
affected games Games using the quake3 engine that accept the remapShader command in the cgame code and use an otherwise unmodified COM_StripExtension().
Vulnerable are: - Quake3 Arena / Team Arena point release 1.32b - Return to Castle Wolfenstein 1.41 - Wolfenstein: Enemy Territory 2.60
With a high probability vulnerable: - Star Wars: Jedi Knight 2 / 3
Not vulnerable: - Star Trek Voyager: Elite Force
This list can not be considered complete. These are the only games where I have done some checking or where I know they have this bug.
Probably not vulnerable are games that are based off an older version of the Quake3 engine where the remapShader command didn't exist in the original cgame code (like EliteForce).
workaround * There is no known workaround except playing on trusted servers.
patches * ID has released fixed binaries, but more on that later.
======================================== Issue #2:
This bug was discovered by Ludwig Nussel and myself and was not publically disclosed until now. CVE-2006-2082  is reserved for this bug.
details * Players connecting to servers that are using .pk3 files not available on the client have the possibility to download the missing files from the server if that server allows it. The client then explicitly requests a filename to download. Unfortunately, the server does no checking of the filename at all allowing modified clients to download any files via directory traversal like "../../../../../../../etc/passwd" with the rights of the user the server runs under.
affected OS * All operating systems are affected
affected games * As long as game developers haven't heavily modified that part of the server code, it is safe to say that most of Quake3 engine based games are vulnerable. To test all available games is beyond my resources, but I can say with certainty that these games are affected:
Quake3 Arena / Team Arena
IDsoftware has confirmed that games using the Doom3 engine are not vulnerable to this particular bug.
======================================== Patches: ========================================
IDsoftware has released new packages containing builds that fix both issues for these games:
Check out idsoftware's news page  and their ftp server .
You can also check out the icculus.org/quake3 project  that has both issues fixed in the latest SVN repository  (rev. 777 as of this writing). Updated binaries will be released soon.
======================================== Acknowledgements ========================================
... landser and the milw0rm people to make the remapShader bug public.
... Ludwig for coordinating disclosure and having the idea about bug #2 in the first place.
... the other guys at icculus.org (zakk, timbo, ryan to name a few) for having come so far with debugging/cleaning up/porting the original 1.32b source release for various platforms.
... Timothee Besset and the guys at idsoftware to still release fixed builds for a more than 6 years old game (which is important because of Punkbuster support).
======================================== Links ========================================
 http://www.idsoftware.com  http://milw0rm.com/exploits/1750  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2082  ftp://ftp.idsoftware.com/idstuff/  http://icculus.org/quake3/  http://svn.icculus.org/quake3/trunk/
-- Thilo Schulz
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/