From: James Turner <zakalawe@ma...> - 2013-09-13 06:13:59
On 11 Sep 2013, at 10:16, Markus Wanner <markus@...> wrote:

I think some of the more recent patches didn't flow upstream, yet. I'm
focusing on getting it working properly on Debian, first. And getting
2.12 in. Just a matter of time. Sorry for the lag.

Okay, but if any of them are portable fixes, it would be better to get them in 
2.12 itself.

None of Debian/Ubuntu's 5 security patches (fixing CVE-2012-2090, CVE-2012-2091 and issue 1117, see http://code.google.com/p/flightgear-bugs/issues/detail?id=1117) are currently in 2.12; I suspect, but have not checked, that they aren't in master either.

for flightgear:
(CVE-2012-2090.diff is attached, as it required minor changes to compile in 2.12)
http://patch-tracker.debian.org/patch/series/dl/flightgear/2.10.0-2/CVE-2012-2091.diff
http://patch-tracker.debian.org/patch/series/dl/flightgear/2.10.0-2/bug1117.diff
for simgear:
http://patch-tracker.debian.org/patch/series/dl/simgear/2.10.0-3/CVE-2012-2090.diff
http://patch-tracker.debian.org/patch/series/dl/simgear/2.10.0-3/CVE-2012-2091.diff

far more useful would be to get ARM working
This patch should do that, while changing nothing on x86:
http://anonscm.debian.org/gitweb/?p=collab-maint/simgear.git;a=blob_plain;f=debian/patches/cppbind-charsignedness.diff;hb=fcca8ff0b3995680e739f0c9499f8c08996513a6

I have successfully compiled 2.12 with all 6 above patches on an Ubuntu 13.04 amd64 system, but was unable to get the 2.12 data to check whether it actually works. (fgdata doesn't have a "Download" button on its Gitorious page (flightgear and simgear do), "Clone" requires a Gitorious account which I don't have and would probably be very large, and the main site only has up to 2.10.)
Subject: Fix for CVE-2012-2090: prevent %n being passed to format strings
 CVE-2012-2090 mentions multiple places in simgear and flightgear that
 allow an unsafe %n specifier to be passed as a format string. This patch
 prevents this for flightgear in two constructors of FGTextLayer::Chunk and
 in FGGeneric::gen_message_ascii().
From: Tom Callaway
Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=flightgear-2.6.0-check-for-%25n-in-printf-format-string.patch;att=1;bug=669025

Adapted for 2.12 (added std:: before string and npos) by Rebecca Palmer

--- a/src/Cockpit/panel.cxx	2013-09-05 08:53:54.000000000 +0100
+++ b/src/Cockpit/panel.cxx	2013-09-13 21:21:57.260042303 +0100
@@ -1174,8 +1174,18 @@ FGTextLayer::Chunk::Chunk (const std::st
   : _type(FGTextLayer::TEXT), _fmt(fmt)
 {
   _text = text;
-  if (_fmt.empty()) 
-    _fmt = "%s";
+  if (_fmt.empty()) {
+    _fmt = "%s"; 
+  } else {
+    // It is never safe for _fmt.c_str to be %n.    
+    std::string unsafe ("%n");
+    size_t found;
+    found=_fmt.find(unsafe);
+    if (found!=std::string::npos) {
+      SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+      _fmt = "%s";
+    }
+  }   
 }
 
 FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
@@ -1188,6 +1198,20 @@ FGTextLayer::Chunk::Chunk (ChunkType typ
       _fmt = "%s";
     else
       _fmt = "%.2f";
+  } else {
+    // It is never safe for _fmt.c_str to be %n.
+    std::string unsafe ("%n");
+    size_t found;
+    found=_fmt.find(unsafe);
+    if (found!=std::string::npos) {
+      if (type == TEXT_VALUE) {
+        SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+        _fmt = "%s";
+      } else {
+        SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %.2f");
+        _fmt = "%.2f";
+      }
+    }
   }
   _node = node;
 }
--- a/src/Network/generic.cxx
+++ b/src/Network/generic.cxx
@@ -206,6 +206,8 @@
 
 bool FGGeneric::gen_message_ascii() {
     string generic_sentence;
+    string unsafe ("%n");
+    size_t found;
     char tmp[255];
     length = 0;
 
@@ -216,6 +218,13 @@
             generic_sentence += var_separator;
         }
 
+        // It is never safe for _out_message[i].format.c_str to be %n.
+        found=_out_message[i].format.find(unsafe);
+        if (found!=string::npos) {
+          SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+          _out_message[i].format = "%s";
+        }
+
         switch (_out_message[i].type) {
         case FG_INT:
             val = _out_message[i].offset +
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flightgear-devel

Reply via email to