[pkg-fgfs-crew] [simgear] 01/01: Add fix for CVE-2012-2091, from launchpad bug #1077624. Patch by Rebecca Palmer, hint by Scott Kitterman. Closes: #669024.
Markus Wanner
markus_wanner-guest at alioth.debian.org
Sat Sep 7 19:09:15 UTC 2013
This is an automated email from the git hooks/post-receive script.
markus_wanner-guest pushed a commit to branch master
in repository simgear.
commit 839c2b9a8a932a182b5026f61ad5bec5997a46d7
Author: Markus Wanner <markus at bluegap.ch>
Date: Sat Sep 7 21:04:28 2013 +0200
Add fix for CVE-2012-2091, from launchpad bug #1077624. Patch by
Rebecca Palmer, hint by Scott Kitterman. Closes: #669024.
---
debian/changelog | 8 ++++++-
debian/patches/CVE-2012-2091.diff | 43 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index b72513a..27fe7f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,14 @@
simgear (2.10.0-2) UNRELEASED; urgency=low
+ [ Scott Kitterman ]
+ * Fix for CVE-2012-2091: add checks against buffer overruns in
+ sg_socket_udp.cxx when reading from UDP sockets. Adds patch
+ CVE-2012-2091.diff. Closes: Closes: #669025.
+
+ [ Markus Wanner ]
* Update copyright file. Now in DEP-5 style.
- -- Markus Wanner <markus at bluegap.ch> Thu, 29 Aug 2013 21:27:07 +0200
+ -- Markus Wanner <markus at bluegap.ch> Sat, 07 Sep 2013 20:21:35 +0200
simgear (2.10.0-1) experimental; urgency=low
diff --git a/debian/patches/CVE-2012-2091.diff b/debian/patches/CVE-2012-2091.diff
new file mode 100644
index 0000000..a48b870
--- /dev/null
+++ b/debian/patches/CVE-2012-2091.diff
@@ -0,0 +1,43 @@
+Subject: Fix for CVE-2012-2091: add checks against buffer overruns
+ CVE-2012-2091 mentions various buffer overruns in simgear and flightgear.
+ flightgear. This patch addresses issues in SGSocketUDP::read() and
+ SGSocketUDP::readline() - for simgear only, obviously.
+From: Rebecca Palmer, Saikrishna Arcot
+Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3806309/+files/simgear_CVE2012_2091.patch
+Last-Update: 2013-09-06
+Patch from Rebecca Palmer,
+
+--- a/simgear/io/sg_socket_udp.cxx
++++ b/simgear/io/sg_socket_udp.cxx
+@@ -104,8 +104,12 @@
+ }
+
+ int result;
++ if (length < 0) {
++ length = 0;
++ }
++ int maxsize = length < SG_IO_MAX_MSG_SIZE ? length : SG_IO_MAX_MSG_SIZE;
+
+- if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) {
++ if ( (result = sock.recv(buf, maxsize, 0)) >= 0 ) {
+ buf[result] = '\0';
+ // printf("msg received = %s\n", buf);
+ }
+@@ -123,7 +127,8 @@
+ // cout << "sock = " << sock << endl;
+
+ char *buf_ptr = save_buf + save_len;
+- int result = sock.recv(buf_ptr, SG_IO_MAX_MSG_SIZE, 0);
++ int maxsize = save_len < SG_IO_MAX_MSG_SIZE ? SG_IO_MAX_MSG_SIZE : 2 * SG_IO_MAX_MSG_SIZE - save_len; //prevent buffer overflow (size of save_buf is 2 * SG_IO_MAX_MSG_SIZE)
++ int result = sock.recv(buf_ptr, maxsize, 0);
+ // printf("msg received = %s\n", buf);
+ save_len += result;
+
+@@ -142,6 +147,7 @@
+ // we found an end of line
+
+ // copy to external buffer
++ result = result < length ? result : length; //prevent buffer overflow
+ strncpy( buf, save_buf, result );
+ buf[result] = '\0';
+ // cout << "sg_socket line = " << buf << endl;
diff --git a/debian/patches/series b/debian/patches/series
index e0abda2..c428fd2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
gcc-macro-correction.diff
osg-compat.diff
+CVE-2012-2091.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/simgear.git
More information about the pkg-fgfs-crew
mailing list