[SimGear] add fix for CVE-2012-2090
Tom Callaway
spot at fedoraproject.org
Wed May 30 01:29:52 UTC 2012
commit 17ef0f672ea088b28fc5d1f854621df35ed6992e
Author: Tom Callaway <spot at fedoraproject.org>
Date: Tue May 29 21:29:49 2012 -0400
add fix for CVE-2012-2090
SimGear.spec | 12 ++++++++++--
simgear-2.6.0-check-for-%n-in-format-string.patch | 20 ++++++++++++++++++++
2 files changed, 30 insertions(+), 2 deletions(-)
---
diff --git a/SimGear.spec b/SimGear.spec
index d4177e2..08b3cf0 100644
--- a/SimGear.spec
+++ b/SimGear.spec
@@ -1,6 +1,6 @@
Name: SimGear
Version: 2.6.0
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Libraries
Summary: Simulation library components
@@ -10,6 +10,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch1: 0001-add-more-arches.patch
Patch2: 0002-nuke-old-bundled-copy-of-expat-use-system-expat.patch
Patch3: 0003-remove-unneeded-header.patch
+Patch4: simgear-2.6.0-check-for-%n-in-format-string.patch
BuildRequires: openal-soft-devel, plib-devel >= 1.8.5
BuildRequires: OpenSceneGraph-devel >= 2.8.0
BuildRequires: boost-devel >= 1.37.0
@@ -38,6 +39,7 @@ SimGear.
%setup -q -n simgear-%{version}
%patch1 -p1
%patch2 -p1
+%patch4 -p1 -b .checkforn
# makes rpmlint happy
find -name \*.cxx -o -name \*.hxx | xargs chmod -x
@@ -82,9 +84,15 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libSimGearScene.so
%changelog
-* Sun Feb 19 2012 Fabrice Bellet <fabrice at bellet.info> 2.6.0-1
+* Tue May 29 2012 Tom Callaway <spot at fedoraproject.org> 2.6.0-2
+- check to be sure that %n is not being set as format type (CVE-2012-2090)
+
+* Tue Feb 28 2012 Fabrice Bellet <fabrice at bellet.info> 2.6.0-1
- new upstream release
+* Tue Feb 28 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.0-4
+- Rebuilt for c++ ABI breakage
+
* Mon Jan 16 2012 Tom Callaway <spot at fedoraproject.org> - 2.4.0-3
- fix boost compile issue in rawhide
- fix gcc 4.7 compile issue in rawhide
diff --git a/simgear-2.6.0-check-for-%n-in-format-string.patch b/simgear-2.6.0-check-for-%n-in-format-string.patch
new file mode 100644
index 0000000..8eaea1d
--- /dev/null
+++ b/simgear-2.6.0-check-for-%n-in-format-string.patch
@@ -0,0 +1,20 @@
+diff -up simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn simgear-2.6.0/simgear/scene/model/SGText.cxx
+--- simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn 2012-02-17 17:38:44.563895660 -0500
++++ simgear-2.6.0/simgear/scene/model/SGText.cxx 2012-05-29 20:31:35.347601886 -0400
+@@ -65,6 +65,16 @@ void SGText::UpdateCallback::operator()(
+ // FIXME:
+ // hopefully the users never specifies bad formats here
+ // this should better be something more robust
++ // It is never safe for format.c_str to be %n.
++ string unsafe ("%n");
++ size_t found;
++
++ found=format.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe, reverting to %s");
++ format = "%s";
++ }
++
+ char buf[256];
+ if( numeric ) {
+ double d = property->getDoubleValue() * scale + offset;
More information about the scm-commits
mailing list