[pkg-fgfs-crew] [flightgear] 01/01: Really fix #669025, now.
Markus Wanner
markus_wanner-guest at alioth.debian.org
Sun Sep 8 08:27:06 UTC 2013
This is an automated email from the git hooks/post-receive script.
markus_wanner-guest pushed a commit to branch master
in repository flightgear.
commit 334098af9560db0b86dd75e770005f42071cefc5
Author: Markus Wanner <markus at bluegap.ch>
Date: Sun Sep 8 10:23:40 2013 +0200
Really fix #669025, now.
Fix for CVE-2012-2090: prevent %n from being passed to format strings.
Fix for CVE-2012-2091: use snprintf() rather than sprintf().
Fix upstream issue #1117 similar to CVE-2012-2091.
---
debian/changelog | 8 ++++
debian/patches/CVE-2012-2090.diff | 78 +++++++++++++++++++++++++++++++
debian/patches/CVE-2012-2091.diff | 91 +++++++++++++++++++++++++++++++++++++
debian/patches/bug1117.diff | 21 +++++++++
debian/patches/series | 3 ++
5 files changed, 201 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 9cf9d01..82484ca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+flightgear (2.10.0-2) UNRELEASED; urgency=low
+
+ * Fix for CVE-2012-2090: prevent %n from being passed to format strings.
+ * Fix for CVE-2012-2091: use snprintf() rather than sprintf().
+ * Fix upstream issue #1117 similar to CVE-2012-2091. Closes: #669025.
+
+ -- Markus Wanner <markus at bluegap.ch> Sun, 08 Sep 2013 10:22:12 +0200
+
flightgear (2.10.0-1) experimental; urgency=low
* New upstream release 2.10.0. (Closes: #718379, #673314).
diff --git a/debian/patches/CVE-2012-2090.diff b/debian/patches/CVE-2012-2090.diff
new file mode 100644
index 0000000..ef54636
--- /dev/null
+++ b/debian/patches/CVE-2012-2090.diff
@@ -0,0 +1,78 @@
+Subject: Fix for CVE-2012-2090: prevent %n being passed to format strings
+ CVE-2012-2090 mentions multiple places in simgear and flightgear that
+ allow an unsafe %n specifier to be passed as a format string. This patch
+ prevents this for flightgear in two constructors of FGTextLayer::Chunk and
+ in FGGeneric::gen_message_ascii().
+From: Tom Callaway
+Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=flightgear-2.6.0-check-for-%25n-in-printf-format-string.patch;att=1;bug=669025
+Last-Update: 2012-11-07
+
+--- a/src/Cockpit/panel.cxx
++++ b/src/Cockpit/panel.cxx
+@@ -1174,8 +1174,18 @@
+ : _type(FGTextLayer::TEXT), _fmt(fmt)
+ {
+ _text = text;
+- if (_fmt.empty())
+- _fmt = "%s";
++ if (_fmt.empty()) {
++ _fmt = "%s";
++ } else {
++ // It is never safe for _fmt.c_str to be %n.
++ string unsafe ("%n");
++ size_t found;
++ found=_fmt.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++ _fmt = "%s";
++ }
++ }
+ }
+
+ FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
+@@ -1188,6 +1198,20 @@
+ _fmt = "%s";
+ else
+ _fmt = "%.2f";
++ } else {
++ // It is never safe for _fmt.c_str to be %n.
++ string unsafe ("%n");
++ size_t found;
++ found=_fmt.find(unsafe);
++ if (found!=string::npos) {
++ if (type == TEXT_VALUE) {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++ _fmt = "%s";
++ } else {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %.2f");
++ _fmt = "%.2f";
++ }
++ }
+ }
+ _node = node;
+ }
+--- a/src/Network/generic.cxx
++++ b/src/Network/generic.cxx
+@@ -206,6 +206,8 @@
+
+ bool FGGeneric::gen_message_ascii() {
+ string generic_sentence;
++ string unsafe ("%n");
++ size_t found;
+ char tmp[255];
+ length = 0;
+
+@@ -216,6 +218,13 @@
+ generic_sentence += var_separator;
+ }
+
++ // It is never safe for _out_message[i].format.c_str to be %n.
++ found=_out_message[i].format.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++ _out_message[i].format = "%s";
++ }
++
+ switch (_out_message[i].type) {
+ case FG_INT:
+ val = _out_message[i].offset +
diff --git a/debian/patches/CVE-2012-2091.diff b/debian/patches/CVE-2012-2091.diff
new file mode 100644
index 0000000..44ea700
--- /dev/null
+++ b/debian/patches/CVE-2012-2091.diff
@@ -0,0 +1,91 @@
+Subject: Fix for CVE-2012-2091: add checks against buffer overruns
+ CVE-2012-2091 mentions various buffer overruns in simgear and
+ flightgear. This patch addresses this issue in Rotor::getValueforFGSet().
+From: Tom Callaway
+Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=flightgear-2.6.0-use-snprintf-for-rotor-strings.patch;att=2;bug=669025
+Last-Update: 2012-11-08
+
+--- a/src/FDM/YASim/Rotor.cpp
++++ b/src/FDM/YASim/Rotor.cpp
+@@ -274,7 +274,7 @@
+ if (4>numRotorparts()) return 0; //compile first!
+ if (j==0)
+ {
+- sprintf(text,"/rotors/%s/cone-deg", _name);
++ snprintf(text, 256, "/rotors/%s/cone-deg", _name);
+ *f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
+ +((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
+ +((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
+@@ -284,7 +284,7 @@
+ else
+ if (j==1)
+ {
+- sprintf(text,"/rotors/%s/roll-deg", _name);
++ snprintf(text, 256, "/rotors/%s/roll-deg", _name);
+ _roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
+ -((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
+ )/2*(_ccw?-1:1);
+@@ -293,7 +293,7 @@
+ else
+ if (j==2)
+ {
+- sprintf(text,"/rotors/%s/yaw-deg", _name);
++ snprintf(text, 256, "/rotors/%s/yaw-deg", _name);
+ _yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
+ -((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha()
+ )/2;
+@@ -302,38 +302,38 @@
+ else
+ if (j==3)
+ {
+- sprintf(text,"/rotors/%s/rpm", _name);
++ snprintf(text, 256, "/rotors/%s/rpm", _name);
+ *f=(_balance1>-1)?_omega/2/pi*60:0;
+ }
+ else
+ if (j==4)
+ {
+- sprintf(text,"/rotors/%s/tilt/pitch-deg",_name);
++ snprintf(text, 256, "/rotors/%s/tilt/pitch-deg",_name);
+ *f=_tilt_pitch*180/pi;
+ }
+ else if (j==5)
+ {
+- sprintf(text,"/rotors/%s/tilt/roll-deg",_name);
++ snprintf(text, 256, "/rotors/%s/tilt/roll-deg",_name);
+ *f=_tilt_roll*180/pi;
+ }
+ else if (j==6)
+ {
+- sprintf(text,"/rotors/%s/tilt/yaw-deg",_name);
++ snprintf(text, 256, "/rotors/%s/tilt/yaw-deg",_name);
+ *f=_tilt_yaw*180/pi;
+ }
+ else if (j==7)
+ {
+- sprintf(text,"/rotors/%s/balance", _name);
++ snprintf(text, 256, "/rotors/%s/balance", _name);
+ *f=_balance1;
+ }
+ else if (j==8)
+ {
+- sprintf(text,"/rotors/%s/stall",_name);
++ snprintf(text, 256, "/rotors/%s/stall",_name);
+ *f=getOverallStall();
+ }
+ else if (j==9)
+ {
+- sprintf(text,"/rotors/%s/torque",_name);
++ snprintf(text, 256, "/rotors/%s/torque",_name);
+ *f=-_torque;;
+ }
+ else
+@@ -344,7 +344,7 @@
+ return 0;
+ }
+ int w=j%3;
+- sprintf(text,"/rotors/%s/blade[%i]/%s",
++ snprintf(text, 256, "/rotors/%s/blade[%i]/%s",
+ _name,b,
+ w==0?"position-deg":(w==1?"flap-deg":"incidence-deg"));
+ *f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi
diff --git a/debian/patches/bug1117.diff b/debian/patches/bug1117.diff
new file mode 100644
index 0000000..55e8822
--- /dev/null
+++ b/debian/patches/bug1117.diff
@@ -0,0 +1,21 @@
+Subject: Fix for upstream #1117: fix another issue similar to CVE-2012-2090
+ In FGClouds::buildlayer(), prevent passing '%n' to snprintf().
+From: Rebecca Palmer
+Origin: https://bugs.launchpad.net/ubuntu/+source/simgear/+bug/1077624/+attachment/3806304/+files/flightgear_bug1117.patch
+Last-Update: 2013-09-06
+
+--- a/src/Environment/fgclouds.cxx
++++ b/src/Environment/fgclouds.cxx
+@@ -228,11 +228,10 @@
+ double count = acloud->getDoubleValue("count", 1.0);
+ tCloudVariety[CloudVarietyCount].count = count;
+ int variety = 0;
+- cloud_name = cloud_name + "-%d";
+ char variety_name[50];
+ do {
+ variety++;
+- snprintf(variety_name, sizeof(variety_name) - 1, cloud_name.c_str(), variety);
++ snprintf(variety_name, sizeof(variety_name) - 1, "%s-%d", cloud_name.c_str(), variety);
+ } while( box_def_root->getChild(variety_name, 0, false) );
+
+ totalCount += count;
diff --git a/debian/patches/series b/debian/patches/series
index a690225..62bb8b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,4 @@
terrasync.patch
+CVE-2012-2090.diff
+CVE-2012-2091.diff
+bug1117.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/flightgear.git
More information about the pkg-fgfs-crew
mailing list