CVE-2007-5248

Name of the Vulnerable Software and Affected Versions: Doom 3 versions 1.3.1 and earlier Quake 4 versions 1.4.2 and earlier Prey versions 1.3 and earlier

Description: The issue concerns format string vulnerabilities in the ID Software Doom 3 engine when Punkbuster (PB) is enabled. This allows remote attackers to execute arbitrary code or cause a denial of service via format string specifiers in specific packets, including PB Y packets to the YPG server and PB U packets to UCON. The issue might be related to Punkbuster itself, but details are insufficient to confirm this.

Recommendations: For Doom 3 versions 1.3.1 and earlier, consider disabling Punkbuster (PB) until a patch is available. For Quake 4 versions 1.4.2 and earlier, consider disabling Punkbuster (PB) until a patch is available. For Prey versions 1.3 and earlier, consider disabling Punkbuster (PB) until a patch is available. As a temporary workaround, consider restricting the use of PB Y and PB U packets to minimize the risk of exploitation.