[pkg-fgfs-crew] [simgear] 01/02: Add another patch fixing CVE-2012-2090, by Saikrishna Arcot. Drop a wrong description line in the last patch.

[Markus Wanner]

This is an automated email from the git hooks/post-receive script.

markus_wanner-guest pushed a commit to branch master
in repository simgear.

commit b43c7993368025796f0aeafa6d59df902e9d1be0
Author: Markus Wanner <markus at bluegap.ch>
Date:   Sat Sep 7 21:16:19 2013 +0200

    Add another patch fixing CVE-2012-2090, by Saikrishna Arcot. Drop
    a wrong description line in the last patch.
---
 debian/changelog                  |    5 +++--
 debian/patches/CVE-2012-2090.diff |   26 ++++++++++++++++++++++++++
 debian/patches/CVE-2012-2091.diff |    1 -
 debian/patches/series             |    1 +
 4 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 27fe7f2..a5171f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,10 +2,11 @@ simgear (2.10.0-2) UNRELEASED; urgency=low
 
   [ Scott Kitterman ]
   * Fix for CVE-2012-2091: add checks against buffer overruns in
-    sg_socket_udp.cxx when reading from UDP sockets. Adds patch
-    CVE-2012-2091.diff. Closes: Closes: #669025.
+    sg_socket_udp.cxx when reading from UDP sockets.
 
   [ Markus Wanner ]
+  * Fix for CVE-2012-2090: prevent %n being passed to format
+    strings. Together with the above fix, this closes: #669025.
   * Update copyright file. Now in DEP-5 style.
 
  -- Markus Wanner <markus at bluegap.ch>  Sat, 07 Sep 2013 20:21:35 +0200
diff --git a/debian/patches/CVE-2012-2090.diff b/debian/patches/CVE-2012-2090.diff
new file mode 100644
index 0000000..cfa42d3
--- /dev/null
+++ b/debian/patches/CVE-2012-2090.diff
@@ -0,0 +1,26 @@
+Subject: Fix for CVE-2012-2090: prevent %n being passed to format strings
+ CVE-2012-2090 mentions multiple places in simgear and flightgear that
+ allow an unsafe %n specifier to be passed as a format string. This patch
+ prevents this for simgear's SGText::UpdateCallback() constructor.
+From: Saikrishna Arcot
+Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3805987/+files/cve-2012-2090-check-for-%25n-in-printf-format.patch
+Last-Update: 2013-09-06
+
+--- a/simgear/scene/model/SGText.cxx
++++ b/simgear/scene/model/SGText.cxx
+@@ -46,6 +46,15 @@
+     if( format.size() == 0 ) {
+       if( numeric ) format = "%f";
+       else format = "%s";
++    } else {
++      // It is never safe for format to be %n.
++      string unsafe ("%n");
++      size_t found;
++      found=format.find(unsafe);
++      if (found!=string::npos) {
++        SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++        format = "%s";
++      }
+     }
+   }
+ 
diff --git a/debian/patches/CVE-2012-2091.diff b/debian/patches/CVE-2012-2091.diff
index a48b870..6bfb60f 100644
--- a/debian/patches/CVE-2012-2091.diff
+++ b/debian/patches/CVE-2012-2091.diff
@@ -5,7 +5,6 @@ Subject: Fix for CVE-2012-2091: add checks against buffer overruns
 From: Rebecca Palmer, Saikrishna Arcot
 Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3806309/+files/simgear_CVE2012_2091.patch
 Last-Update: 2013-09-06
-Patch from Rebecca Palmer, 
 
 --- a/simgear/io/sg_socket_udp.cxx
 +++ b/simgear/io/sg_socket_udp.cxx
diff --git a/debian/patches/series b/debian/patches/series
index c428fd2..b82a2b8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 gcc-macro-correction.diff
 osg-compat.diff
+CVE-2012-2090.diff
 CVE-2012-2091.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/simgear.git