Re: [Flightgear-devel] Security patches [was Re: portability of simgear]

[Arnt Karlsen]

On Fri, 13 Sep 2013 23:01:05 +0100, Rebecca wrote in message 
52338b21.9010...@bham.ac.uk:

 From: James Turner zakalawe@ma... - 2013-09-13 06:13:59
  On 11 Sep 2013, at 10:16, Markus Wanner markus@... wrote:

  far more useful would be to get ARM working
 This patch should do that, while changing nothing on x86:
 http://anonscm.debian.org/gitweb/?p=collab-maint/simgear.git;a=blob_plain;f=debian/patches/cppbind-charsignedness.diff;hb=fcca8ff0b3995680e739f0c9499f8c08996513a6
 
 I have successfully compiled 2.12 with all 6 above patches on an
 Ubuntu 13.04 amd64 system, but was unable to get the 2.12 data to
 check whether it actually works.  (fgdata doesn't have a Download
 button on its Gitorious page (flightgear and simgear do), Clone
 requires a Gitorious account which I don't have and would probably be
 very large, and the main site only has up to 2.10.)

..if you have the disk space, head over to Roland's
http://mxchange.org:23456/ and fetch the git bundle 
and updates there, then do the git bundle dance and 
finish it all off by updating your fgdata git tree 
to what branch etc you want.

-- 
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871iu=/4140/ostg.clktrk
___
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flightgear-devel

Re: [Flightgear-devel] Security patches [was Re: portability of simgear]

[Markus Wanner]

On 09/14/2013 12:07 PM, James Turner wrote:
 Thanks, I'll apply these as-is to the 2.12 branch. For master/next, I
 think a slight re-factoring can make things cleaner. (E.g a
 simgear::strutils::sanitize_printf_format)

Nice, thanks.

 What is the recommended notification channel from Debian to here?

From Debian to here? Whatever you like it to be. I reported issues on
this mailing list, before. That looked like the appropriate way to me.

From here to Debian: we have a dedicated mailing list:
pkg-fgfs-c...@lists.alioth.debian.org. I would appreciate security
issues and update notifications being CC'd there. (Of course, I'm
loosely following the flightgear-devel mailing list as well, but...)

 Does
 it require someone here to register as the Debian maintainer for the
 flightgear packages, or something else?

Officially, flightgear is maintained as a team. I've been the most
active direct contributor, recently. With lots of help from Rebecca and
others.

Regards

Markus Wanner

--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871iu=/4140/ostg.clktrk
___
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flightgear-devel

[Flightgear-devel] Security patches [was Re: portability of simgear]

[Rebecca N. Palmer]

From: James Turner zakalawe@ma... - 2013-09-13 06:13:59

On 11 Sep 2013, at 10:16, Markus Wanner markus@... wrote:


I think some of the more recent patches didn't flow upstream, yet. I'm
focusing on getting it working properly on Debian, first. And getting
2.12 in. Just a matter of time. Sorry for the lag.


Okay, but if any of them are portable fixes, it would be better to get them in 
2.12 itself.


None of Debian/Ubuntu's 5 security patches (fixing CVE-2012-2090, 
CVE-2012-2091 and issue 1117, see 
http://code.google.com/p/flightgear-bugs/issues/detail?id=1117) are 
currently in 2.12; I suspect, but have not checked, that they aren't in 
master either.


for flightgear:
(CVE-2012-2090.diff is attached, as it required minor changes to compile 
in 2.12)

http://patch-tracker.debian.org/patch/series/dl/flightgear/2.10.0-2/CVE-2012-2091.diff
http://patch-tracker.debian.org/patch/series/dl/flightgear/2.10.0-2/bug1117.diff
for simgear:
http://patch-tracker.debian.org/patch/series/dl/simgear/2.10.0-3/CVE-2012-2090.diff
http://patch-tracker.debian.org/patch/series/dl/simgear/2.10.0-3/CVE-2012-2091.diff


far more useful would be to get ARM working

This patch should do that, while changing nothing on x86:
http://anonscm.debian.org/gitweb/?p=collab-maint/simgear.git;a=blob_plain;f=debian/patches/cppbind-charsignedness.diff;hb=fcca8ff0b3995680e739f0c9499f8c08996513a6

I have successfully compiled 2.12 with all 6 above patches on an Ubuntu 
13.04 amd64 system, but was unable to get the 2.12 data to check whether 
it actually works.  (fgdata doesn't have a Download button on its 
Gitorious page (flightgear and simgear do), Clone requires a Gitorious 
account which I don't have and would probably be very large, and the 
main site only has up to 2.10.)
Subject: Fix for CVE-2012-2090: prevent %n being passed to format strings
 CVE-2012-2090 mentions multiple places in simgear and flightgear that
 allow an unsafe %n specifier to be passed as a format string. This patch
 prevents this for flightgear in two constructors of FGTextLayer::Chunk and
 in FGGeneric::gen_message_ascii().
From: Tom Callaway
Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=flightgear-2.6.0-check-for-%25n-in-printf-format-string.patch;att=1;bug=669025

Adapted for 2.12 (added std:: before string and npos) by Rebecca Palmer

--- a/src/Cockpit/panel.cxx	2013-09-05 08:53:54.0 +0100
+++ b/src/Cockpit/panel.cxx	2013-09-13 21:21:57.260042303 +0100
@@ -1174,8 +1174,18 @@ FGTextLayer::Chunk::Chunk (const std::st
   : _type(FGTextLayer::TEXT), _fmt(fmt)
 {
   _text = text;
-  if (_fmt.empty()) 
-_fmt = %s;
+  if (_fmt.empty()) {
+_fmt = %s; 
+  } else {
+// It is never safe for _fmt.c_str to be %n.
+std::string unsafe (%n);
+size_t found;
+found=_fmt.find(unsafe);
+if (found!=std::string::npos) {
+  SG_LOG(SG_COCKPIT, SG_WARN, format type contained %n, but this is unsafe, reverting to %s);
+  _fmt = %s;
+}
+  }   
 }
 
 FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
@@ -1188,6 +1198,20 @@ FGTextLayer::Chunk::Chunk (ChunkType typ
   _fmt = %s;
 else
   _fmt = %.2f;
+  } else {
+// It is never safe for _fmt.c_str to be %n.
+std::string unsafe (%n);
+size_t found;
+found=_fmt.find(unsafe);
+if (found!=std::string::npos) {
+  if (type == TEXT_VALUE) {
+SG_LOG(SG_COCKPIT, SG_WARN, format type contained %n, but this is unsafe, reverting to %s);
+_fmt = %s;
+  } else {
+SG_LOG(SG_COCKPIT, SG_WARN, format type contained %n, but this is unsafe, reverting to %.2f);
+_fmt = %.2f;
+  }
+}
   }
   _node = node;
 }
--- a/src/Network/generic.cxx
+++ b/src/Network/generic.cxx
@@ -206,6 +206,8 @@
 
 bool FGGeneric::gen_message_ascii() {
 string generic_sentence;
+string unsafe (%n);
+size_t found;
 char tmp[255];
 length = 0;
 
@@ -216,6 +218,13 @@
 generic_sentence += var_separator;
 }
 
+// It is never safe for _out_message[i].format.c_str to be %n.
+found=_out_message[i].format.find(unsafe);
+if (found!=string::npos) {
+  SG_LOG(SG_COCKPIT, SG_WARN, format type contained %n, but this is unsafe, reverting to %s);
+  _out_message[i].format = %s;
+}
+
 switch (_out_message[i].type) {
 case FG_INT:
 val = _out_message[i].offset +
--
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=5127iu=/4140/ostg.clktrk___
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net