From: James Turner <zakalawe@ma...> - 2013-09-13 06:13:59
On 11 Sep 2013, at 10:16, Markus Wanner <markus@...> wrote:
I think some of the more recent patches didn't flow upstream, yet. I'm
focusing on getting it working properly on Debian, first. And getting
2.12 in. Just a matter of time. Sorry for the lag.
Okay, but if any of them are portable fixes, it would be better to get them in
2.12 itself.
None of Debian/Ubuntu's 5 security patches (fixing CVE-2012-2090,
CVE-2012-2091 and issue 1117, see
http://code.google.com/p/flightgear-bugs/issues/detail?id=1117) are
currently in 2.12; I suspect, but have not checked, that they aren't in
master either.
for flightgear:
(CVE-2012-2090.diff is attached, as it required minor changes to compile
in 2.12)
http://patch-tracker.debian.org/patch/series/dl/flightgear/2.10.0-2/CVE-2012-2091.diff
http://patch-tracker.debian.org/patch/series/dl/flightgear/2.10.0-2/bug1117.diff
for simgear:
http://patch-tracker.debian.org/patch/series/dl/simgear/2.10.0-3/CVE-2012-2090.diff
http://patch-tracker.debian.org/patch/series/dl/simgear/2.10.0-3/CVE-2012-2091.diff
far more useful would be to get ARM working
This patch should do that, while changing nothing on x86:
http://anonscm.debian.org/gitweb/?p=collab-maint/simgear.git;a=blob_plain;f=debian/patches/cppbind-charsignedness.diff;hb=fcca8ff0b3995680e739f0c9499f8c08996513a6
I have successfully compiled 2.12 with all 6 above patches on an Ubuntu
13.04 amd64 system, but was unable to get the 2.12 data to check whether
it actually works. (fgdata doesn't have a "Download" button on its
Gitorious page (flightgear and simgear do), "Clone" requires a Gitorious
account which I don't have and would probably be very large, and the
main site only has up to 2.10.)
Subject: Fix for CVE-2012-2090: prevent %n being passed to format strings
CVE-2012-2090 mentions multiple places in simgear and flightgear that
allow an unsafe %n specifier to be passed as a format string. This patch
prevents this for flightgear in two constructors of FGTextLayer::Chunk and
in FGGeneric::gen_message_ascii().
From: Tom Callaway
Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=flightgear-2.6.0-check-for-%25n-in-printf-format-string.patch;att=1;bug=669025
Adapted for 2.12 (added std:: before string and npos) by Rebecca Palmer
--- a/src/Cockpit/panel.cxx 2013-09-05 08:53:54.000000000 +0100
+++ b/src/Cockpit/panel.cxx 2013-09-13 21:21:57.260042303 +0100
@@ -1174,8 +1174,18 @@ FGTextLayer::Chunk::Chunk (const std::st
: _type(FGTextLayer::TEXT), _fmt(fmt)
{
_text = text;
- if (_fmt.empty())
- _fmt = "%s";
+ if (_fmt.empty()) {
+ _fmt = "%s";
+ } else {
+ // It is never safe for _fmt.c_str to be %n.
+ std::string unsafe ("%n");
+ size_t found;
+ found=_fmt.find(unsafe);
+ if (found!=std::string::npos) {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+ _fmt = "%s";
+ }
+ }
}
FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
@@ -1188,6 +1198,20 @@ FGTextLayer::Chunk::Chunk (ChunkType typ
_fmt = "%s";
else
_fmt = "%.2f";
+ } else {
+ // It is never safe for _fmt.c_str to be %n.
+ std::string unsafe ("%n");
+ size_t found;
+ found=_fmt.find(unsafe);
+ if (found!=std::string::npos) {
+ if (type == TEXT_VALUE) {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+ _fmt = "%s";
+ } else {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %.2f");
+ _fmt = "%.2f";
+ }
+ }
}
_node = node;
}
--- a/src/Network/generic.cxx
+++ b/src/Network/generic.cxx
@@ -206,6 +206,8 @@
bool FGGeneric::gen_message_ascii() {
string generic_sentence;
+ string unsafe ("%n");
+ size_t found;
char tmp[255];
length = 0;
@@ -216,6 +218,13 @@
generic_sentence += var_separator;
}
+ // It is never safe for _out_message[i].format.c_str to be %n.
+ found=_out_message[i].format.find(unsafe);
+ if (found!=string::npos) {
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+ _out_message[i].format = "%s";
+ }
+
switch (_out_message[i].type) {
case FG_INT:
val = _out_message[i].offset +
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flightgear-devel