[pkg-fgfs-crew] [simgear] 01/01: Add fix for CVE-2012-2091, from launchpad bug #1077624. Patch by Rebecca Palmer, hint by Scott Kitterman. Closes: #669024.

Markus Wanner markus_wanner-guest at alioth.debian.org
Sat Sep 7 19:09:15 UTC 2013


This is an automated email from the git hooks/post-receive script.

markus_wanner-guest pushed a commit to branch master
in repository simgear.

commit 839c2b9a8a932a182b5026f61ad5bec5997a46d7
Author: Markus Wanner <markus at bluegap.ch>
Date:   Sat Sep 7 21:04:28 2013 +0200

    Add fix for CVE-2012-2091, from launchpad bug #1077624. Patch by
    Rebecca Palmer, hint by Scott Kitterman. Closes: #669024.
---
 debian/changelog                  |    8 ++++++-
 debian/patches/CVE-2012-2091.diff |   43 +++++++++++++++++++++++++++++++++++++
 debian/patches/series             |    1 +
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index b72513a..27fe7f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,14 @@
 simgear (2.10.0-2) UNRELEASED; urgency=low
 
+  [ Scott Kitterman ]
+  * Fix for CVE-2012-2091: add checks against buffer overruns in
+    sg_socket_udp.cxx when reading from UDP sockets. Adds patch
+    CVE-2012-2091.diff. Closes: Closes: #669025.
+
+  [ Markus Wanner ]
   * Update copyright file. Now in DEP-5 style.
 
- -- Markus Wanner <markus at bluegap.ch>  Thu, 29 Aug 2013 21:27:07 +0200
+ -- Markus Wanner <markus at bluegap.ch>  Sat, 07 Sep 2013 20:21:35 +0200
 
 simgear (2.10.0-1) experimental; urgency=low
 
diff --git a/debian/patches/CVE-2012-2091.diff b/debian/patches/CVE-2012-2091.diff
new file mode 100644
index 0000000..a48b870
--- /dev/null
+++ b/debian/patches/CVE-2012-2091.diff
@@ -0,0 +1,43 @@
+Subject: Fix for CVE-2012-2091: add checks against buffer overruns
+ CVE-2012-2091 mentions various buffer overruns in simgear and flightgear.
+ flightgear. This patch addresses issues in SGSocketUDP::read() and
+ SGSocketUDP::readline() - for simgear only, obviously.
+From: Rebecca Palmer, Saikrishna Arcot
+Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3806309/+files/simgear_CVE2012_2091.patch
+Last-Update: 2013-09-06
+Patch from Rebecca Palmer, 
+
+--- a/simgear/io/sg_socket_udp.cxx
++++ b/simgear/io/sg_socket_udp.cxx
+@@ -104,8 +104,12 @@
+     }
+ 
+     int result;
++    if (length < 0) {
++        length = 0;
++    }
++    int maxsize = length < SG_IO_MAX_MSG_SIZE ? length : SG_IO_MAX_MSG_SIZE;
+ 
+-    if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) {
++    if ( (result = sock.recv(buf, maxsize, 0)) >= 0 ) {
+ 	buf[result] = '\0';
+ 	// printf("msg received = %s\n", buf);
+     }
+@@ -123,7 +127,8 @@
+     // cout << "sock = " << sock << endl;
+ 
+     char *buf_ptr = save_buf + save_len;
+-    int result = sock.recv(buf_ptr, SG_IO_MAX_MSG_SIZE, 0);
++    int maxsize = save_len < SG_IO_MAX_MSG_SIZE ? SG_IO_MAX_MSG_SIZE : 2 * SG_IO_MAX_MSG_SIZE - save_len; //prevent buffer overflow (size of save_buf is 2 * SG_IO_MAX_MSG_SIZE)
++    int result = sock.recv(buf_ptr, maxsize, 0);
+     // printf("msg received = %s\n", buf);
+     save_len += result;
+ 
+@@ -142,6 +147,7 @@
+     // we found an end of line
+ 
+     // copy to external buffer
++    result = result < length ? result : length; //prevent buffer overflow
+     strncpy( buf, save_buf, result );
+     buf[result] = '\0';
+     // cout << "sg_socket line = " << buf << endl;
diff --git a/debian/patches/series b/debian/patches/series
index e0abda2..c428fd2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 gcc-macro-correction.diff
 osg-compat.diff
+CVE-2012-2091.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/simgear.git



More information about the pkg-fgfs-crew mailing list