[pkg-fgfs-crew] [simgear] 01/02: Add another patch fixing CVE-2012-2090, by Saikrishna Arcot. Drop a wrong description line in the last patch.
Markus Wanner
markus_wanner-guest at alioth.debian.org
Sat Sep 7 19:22:57 UTC 2013
This is an automated email from the git hooks/post-receive script.
markus_wanner-guest pushed a commit to branch master
in repository simgear.
commit b43c7993368025796f0aeafa6d59df902e9d1be0
Author: Markus Wanner <markus at bluegap.ch>
Date: Sat Sep 7 21:16:19 2013 +0200
Add another patch fixing CVE-2012-2090, by Saikrishna Arcot. Drop
a wrong description line in the last patch.
---
debian/changelog | 5 +++--
debian/patches/CVE-2012-2090.diff | 26 ++++++++++++++++++++++++++
debian/patches/CVE-2012-2091.diff | 1 -
debian/patches/series | 1 +
4 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 27fe7f2..a5171f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,10 +2,11 @@ simgear (2.10.0-2) UNRELEASED; urgency=low
[ Scott Kitterman ]
* Fix for CVE-2012-2091: add checks against buffer overruns in
- sg_socket_udp.cxx when reading from UDP sockets. Adds patch
- CVE-2012-2091.diff. Closes: Closes: #669025.
+ sg_socket_udp.cxx when reading from UDP sockets.
[ Markus Wanner ]
+ * Fix for CVE-2012-2090: prevent %n being passed to format
+ strings. Together with the above fix, this closes: #669025.
* Update copyright file. Now in DEP-5 style.
-- Markus Wanner <markus at bluegap.ch> Sat, 07 Sep 2013 20:21:35 +0200
diff --git a/debian/patches/CVE-2012-2090.diff b/debian/patches/CVE-2012-2090.diff
new file mode 100644
index 0000000..cfa42d3
--- /dev/null
+++ b/debian/patches/CVE-2012-2090.diff
@@ -0,0 +1,26 @@
+Subject: Fix for CVE-2012-2090: prevent %n being passed to format strings
+ CVE-2012-2090 mentions multiple places in simgear and flightgear that
+ allow an unsafe %n specifier to be passed as a format string. This patch
+ prevents this for simgear's SGText::UpdateCallback() constructor.
+From: Saikrishna Arcot
+Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3805987/+files/cve-2012-2090-check-for-%25n-in-printf-format.patch
+Last-Update: 2013-09-06
+
+--- a/simgear/scene/model/SGText.cxx
++++ b/simgear/scene/model/SGText.cxx
+@@ -46,6 +46,15 @@
+ if( format.size() == 0 ) {
+ if( numeric ) format = "%f";
+ else format = "%s";
++ } else {
++ // It is never safe for format to be %n.
++ string unsafe ("%n");
++ size_t found;
++ found=format.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++ format = "%s";
++ }
+ }
+ }
+
diff --git a/debian/patches/CVE-2012-2091.diff b/debian/patches/CVE-2012-2091.diff
index a48b870..6bfb60f 100644
--- a/debian/patches/CVE-2012-2091.diff
+++ b/debian/patches/CVE-2012-2091.diff
@@ -5,7 +5,6 @@ Subject: Fix for CVE-2012-2091: add checks against buffer overruns
From: Rebecca Palmer, Saikrishna Arcot
Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3806309/+files/simgear_CVE2012_2091.patch
Last-Update: 2013-09-06
-Patch from Rebecca Palmer,
--- a/simgear/io/sg_socket_udp.cxx
+++ b/simgear/io/sg_socket_udp.cxx
diff --git a/debian/patches/series b/debian/patches/series
index c428fd2..b82a2b8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
gcc-macro-correction.diff
osg-compat.diff
+CVE-2012-2090.diff
CVE-2012-2091.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/simgear.git
More information about the pkg-fgfs-crew
mailing list