COMMAND

    QuakeWorld

SYSTEMS AFFECTED

    Systems running QW

PROBLEM

    Glenn F. Maynard  found following.   QuakeWorld v2.10 (latest)  is
    overflowable  in  the  initial  "connect"  sequence.   The   first
    client->server packet gives the user name, colors, etc:

        0xFF,0xFF,0xFF,0xFF followed by (plaintext) ->
        connect "\name\Glenn\key\data"

    There  is  no  bounds  checking  on  this  connect; netcatting the
    following  will  crash  the  server  (although  segfault   appears
    trapped; no message is displayed, and no core is left):

        'connect "\x\xxxxxxxxxxxxxxxxxx' (repeat "x" as needed;
                                         replace the first 4 spaces
                                         with 0xFF).

SOLUTION

    Nothing yet.