Quake 3 Engine contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker sends a specially crafted getstatus UDP request to the server, which will result in loss of availability for the server.

Multiple vendors which bundle the engine have released upgrades for this vulnerability. ioquake3 patched this in SVN revision 1762, but has not released a formal version upgrade.

• CVE ID: 2010-5077 (see also: NVD)
• Secunia Advisory ID: 48594
• Bugtraq ID: 52719
• ISS X-Force ID: 74343
• Vendor Specific Advisory URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
• Vendor Specific Solution URL: http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
• Vendor URL: http://ioquake3.org/
• Mail List Post: http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
  http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
  http://seclists.org/bugtraq/2012/Mar/127
• Other Advisory URL: http://openarena.ws/board/index.php?topic=4391.0
  http://www.urbanterror.info/forums/topic/27825-drdos/
• Packet Storm: http://packetstormsecurity.org/files/111240/Quake-3-Denial-Of-Service.html
• Vendor Specific News/Changelog Entry: http://www.debian.org/security/2012/dsa-2442

• Not Available

NVD does not currently have a CVSSv2 score assigned.