[SimGear] add fix for CVE-2012-2090

Tom Callaway spot at fedoraproject.org
Wed May 30 01:29:52 UTC 2012 

commit 17ef0f672ea088b28fc5d1f854621df35ed6992e
Author: Tom Callaway <spot at fedoraproject.org>
Date:   Tue May 29 21:29:49 2012 -0400

    add fix for CVE-2012-2090

 SimGear.spec                                      |   12 ++++++++++--
 simgear-2.6.0-check-for-%n-in-format-string.patch |   20 ++++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)
---
diff --git a/SimGear.spec b/SimGear.spec
index d4177e2..08b3cf0 100644
--- a/SimGear.spec
+++ b/SimGear.spec
@@ -1,6 +1,6 @@
 Name:		SimGear
 Version:	2.6.0
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	GPLv2+
 Group:		System Environment/Libraries
 Summary:	Simulation library components
@@ -10,6 +10,7 @@ BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Patch1:		0001-add-more-arches.patch
 Patch2:		0002-nuke-old-bundled-copy-of-expat-use-system-expat.patch
 Patch3:		0003-remove-unneeded-header.patch
+Patch4:		simgear-2.6.0-check-for-%n-in-format-string.patch
 BuildRequires:	openal-soft-devel, plib-devel >= 1.8.5
 BuildRequires:	OpenSceneGraph-devel >= 2.8.0
 BuildRequires:	boost-devel >= 1.37.0
@@ -38,6 +39,7 @@ SimGear.
 %setup -q -n simgear-%{version}
 %patch1 -p1
 %patch2 -p1
+%patch4 -p1 -b .checkforn
 
 # makes rpmlint happy
 find -name \*.cxx -o -name \*.hxx | xargs chmod -x
@@ -82,9 +84,15 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libSimGearScene.so
 
 %changelog
-* Sun Feb 19 2012 Fabrice Bellet <fabrice at bellet.info> 2.6.0-1
+* Tue May 29 2012 Tom Callaway <spot at fedoraproject.org> 2.6.0-2
+- check to be sure that %n is not being set as format type (CVE-2012-2090)
+
+* Tue Feb 28 2012 Fabrice Bellet <fabrice at bellet.info> 2.6.0-1
 - new upstream release
 
+* Tue Feb 28 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.0-4
+- Rebuilt for c++ ABI breakage
+
 * Mon Jan 16 2012 Tom Callaway <spot at fedoraproject.org> - 2.4.0-3
 - fix boost compile issue in rawhide
 - fix gcc 4.7 compile issue in rawhide
diff --git a/simgear-2.6.0-check-for-%n-in-format-string.patch b/simgear-2.6.0-check-for-%n-in-format-string.patch
new file mode 100644
index 0000000..8eaea1d
--- /dev/null
+++ b/simgear-2.6.0-check-for-%n-in-format-string.patch
@@ -0,0 +1,20 @@
+diff -up simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn simgear-2.6.0/simgear/scene/model/SGText.cxx
+--- simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn	2012-02-17 17:38:44.563895660 -0500
++++ simgear-2.6.0/simgear/scene/model/SGText.cxx	2012-05-29 20:31:35.347601886 -0400
+@@ -65,6 +65,16 @@ void SGText::UpdateCallback::operator()(
+   // FIXME:
+   // hopefully the users never specifies bad formats here
+   // this should better be something more robust
++  // It is never safe for format.c_str to be %n.
++  string unsafe ("%n");
++  size_t found;
++
++  found=format.find(unsafe);
++  if (found!=string::npos) {
++     SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe, reverting to %s");
++     format = "%s";
++  }
++
+   char buf[256];
+   if( numeric ) {
+     double d = property->getDoubleValue() * scale + offset;

More information about the scm-commits mailing list