A distributed denial of service flaw was found in the way Quake3 Arena / OpenArena servers used to handle 'getstatus' and 'rcon' (remote command) connectionless requests. A remote attacker could use this flaw to perform distributed denial of service attack against the target server IP gameserver by spoofing certain packets. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656 [2] http://openarena.ws/board/index.php?topic=4391.0 [3] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694 [4] http://www.urbanterror.info/forums/topic/27825-drdos/ [5] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html Relevant upstream patch: [6] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
CVE request: http://www.openwall.com/lists/oss-security/2012/03/26/2
This issue did NOT affect the current versions of the quake3 package, as shipped with Fedora release of 15 and 16 (those versions already contain upstream patch preventing this deficiency).
This issue does seem to affect Tremulous 1.2beta1 which we ship in Fedora (the patch is unapplied there). Originally reported via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665842
Created tremulous tracking bugs for this issue Affects: fedora-all [bug 806980]
This issue has been assigned the name CVE-2010-5077.
tremulous-1.2.0-0.5.beta1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
tremulous-1.2.0-0.5.beta1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.