The original report doesn't say so but it looks like SGSocketUDP::readline is vulnerable as well: the attached fixes both.
(I kept the negative-length check but consider it mostly pointless: if you can't assume length is the correct length of buf, it's impossible to prevent an overflow.) ** Patch added: "simgear_CVE2012_2091.patch" https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3806302/+files/simgear_CVE2012_2091.patch ** Bug watch added: code.google.com/p/flightgear-bugs/issues #1117 http://code.google.com/p/flightgear-bugs/issues/detail?id=1117 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1077624 Title: FFe: Update Flightgear to version 2.10.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
