[FlightGear] Add fixes for CVE-2012-2090 and CVE-2012-2091
Tom Callaway
spot at fedoraproject.org
Wed May 30 01:28:32 UTC 2012
commit a9574160fe6289ec50674abcf9f2867029c5f56d
Author: Tom Callaway <spot at fedoraproject.org>
Date: Tue May 29 21:28:28 2012 -0400
Add fixes for CVE-2012-2090 and CVE-2012-2091
FlightGear.spec | 15 +++-
....6.0-check-for-%n-in-printf-format-string.patch | 71 ++++++++++++++++
...gear-2.6.0-use-snprintf-for-rotor-strings.patch | 85 ++++++++++++++++++++
3 files changed, 169 insertions(+), 2 deletions(-)
---
diff --git a/FlightGear.spec b/FlightGear.spec
index c320df5..65235f3 100644
--- a/FlightGear.spec
+++ b/FlightGear.spec
@@ -1,7 +1,7 @@
Name: FlightGear
Summary: The FlightGear Flight Simulator
Version: 2.6.0
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: Amusements/Games
Source: http://mirrors.ibiblio.org/pub/mirrors/flightgear/ftp/Source/flightgear-%{version}.tar.bz2
@@ -16,6 +16,8 @@ Source6: fg-128.png
Source7: COPYING
Patch1: 0001-add-zlib-dependency-to-fgadmin.patch
Patch2: 0002-fix-build-with-gcc-4.7.0.patch
+Patch3: flightgear-2.6.0-check-for-%n-in-printf-format-string.patch
+Patch4: flightgear-2.6.0-use-snprintf-for-rotor-strings.patch
URL: http://www.flightgear.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: openal-soft-devel >= 1.11.753, SimGear-devel >= %{version}
@@ -35,6 +37,8 @@ expanded and improved upon by anyone interested in contributing
%setup -q -n flightgear-%{version}
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
# make rpmlint happy
find -name \*.h -o -name \*.cpp -o -name \*.cxx -o -name \*.hxx \
@@ -116,9 +120,16 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/icons/hicolor/*/apps/*
%changelog
-* Sun Feb 19 2012 Fabrice Bellet <fabrice at bellet.info> 2.6.0-1
+* Tue May 29 2012 Tom Callaway <spot at fedoraproject.org> 2.6.0-2
+- check that printf format strings are never %n (CVE-2012-2090)
+- use snprintf with a max size of 256 to prevent rotor name overflow (CVE-2012-2091)
+
+* Tue Feb 28 2012 Fabrice Bellet <fabrice at bellet.info> 2.6.0-1
- new upstream release
+* Tue Feb 28 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.0-4
+- Rebuilt for c++ ABI breakage
+
* Sat Jan 21 2012 Fabrice Bellet <fabrice at bellet.info> 2.4.0-3
- Fix gcc 4.7.0 compile issues in rawhide
diff --git a/flightgear-2.6.0-check-for-%n-in-printf-format-string.patch b/flightgear-2.6.0-check-for-%n-in-printf-format-string.patch
new file mode 100644
index 0000000..a83ebde
--- /dev/null
+++ b/flightgear-2.6.0-check-for-%n-in-printf-format-string.patch
@@ -0,0 +1,71 @@
+diff -up flightgear-2.6.0/src/Cockpit/panel.cxx.checkforn flightgear-2.6.0/src/Cockpit/panel.cxx
+--- flightgear-2.6.0/src/Cockpit/panel.cxx.checkforn 2012-02-17 17:41:14.704313333 -0500
++++ flightgear-2.6.0/src/Cockpit/panel.cxx 2012-05-29 21:01:31.264831372 -0400
+@@ -1209,8 +1209,18 @@ FGTextLayer::Chunk::Chunk (const string
+ : _type(FGTextLayer::TEXT), _fmt(fmt)
+ {
+ _text = text;
+- if (_fmt.empty())
+- _fmt = "%s";
++ if (_fmt.empty()) {
++ _fmt = "%s";
++ } else {
++ // It is never safe for _fmt.c_str to be %n.
++ string unsafe ("%n");
++ size_t found;
++ found=_fmt.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++ _fmt = "%s";
++ }
++ }
+ }
+
+ FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
+@@ -1223,6 +1233,20 @@ FGTextLayer::Chunk::Chunk (ChunkType typ
+ _fmt = "%s";
+ else
+ _fmt = "%.2f";
++ } else {
++ // It is never safe for _fmt.c_str to be %n.
++ string unsafe ("%n");
++ size_t found;
++ found=_fmt.find(unsafe);
++ if (found!=string::npos) {
++ if (type == TEXT_VALUE) {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++ _fmt = "%s";
++ } else {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %.2f");
++ _fmt = "%.2f";
++ }
++ }
+ }
+ _node = node;
+ }
+diff -up flightgear-2.6.0/src/Network/generic.cxx.checkforn flightgear-2.6.0/src/Network/generic.cxx
+--- flightgear-2.6.0/src/Network/generic.cxx.checkforn 2012-02-17 17:41:16.428329558 -0500
++++ flightgear-2.6.0/src/Network/generic.cxx 2012-05-29 20:50:37.212255822 -0400
+@@ -205,6 +205,8 @@ bool FGGeneric::gen_message_binary() {
+
+ bool FGGeneric::gen_message_ascii() {
+ string generic_sentence;
++ string unsafe ("%n");
++ size_t found;
+ char tmp[255];
+ length = 0;
+
+@@ -215,6 +217,13 @@ bool FGGeneric::gen_message_ascii() {
+ generic_sentence += var_separator;
+ }
+
++ // It is never safe for _out_message[i].format.c_str to be %n.
++ found=_out_message[i].format.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
++ _out_message[i].format = "%s";
++ }
++
+ switch (_out_message[i].type) {
+ case FG_INT:
+ val = _out_message[i].offset +
diff --git a/flightgear-2.6.0-use-snprintf-for-rotor-strings.patch b/flightgear-2.6.0-use-snprintf-for-rotor-strings.patch
new file mode 100644
index 0000000..d4c4d85
--- /dev/null
+++ b/flightgear-2.6.0-use-snprintf-for-rotor-strings.patch
@@ -0,0 +1,85 @@
+diff -up flightgear-2.6.0/src/FDM/YASim/Rotor.cpp.rotornamemax256 flightgear-2.6.0/src/FDM/YASim/Rotor.cpp
+--- flightgear-2.6.0/src/FDM/YASim/Rotor.cpp.rotornamemax256 2012-05-29 21:17:49.674896892 -0400
++++ flightgear-2.6.0/src/FDM/YASim/Rotor.cpp 2012-05-29 21:20:51.004474076 -0400
+@@ -274,7 +274,7 @@ int Rotor::getValueforFGSet(int j,char *
+ if (4>numRotorparts()) return 0; //compile first!
+ if (j==0)
+ {
+- sprintf(text,"/rotors/%s/cone-deg", _name);
++ snprintf(text, 256, "/rotors/%s/cone-deg", _name);
+ *f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
+ +((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
+ +((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
+@@ -284,7 +284,7 @@ int Rotor::getValueforFGSet(int j,char *
+ else
+ if (j==1)
+ {
+- sprintf(text,"/rotors/%s/roll-deg", _name);
++ snprintf(text, 256, "/rotors/%s/roll-deg", _name);
+ _roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
+ -((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
+ )/2*(_ccw?-1:1);
+@@ -293,7 +293,7 @@ int Rotor::getValueforFGSet(int j,char *
+ else
+ if (j==2)
+ {
+- sprintf(text,"/rotors/%s/yaw-deg", _name);
++ snprintf(text, 256, "/rotors/%s/yaw-deg", _name);
+ _yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
+ -((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha()
+ )/2;
+@@ -302,38 +302,38 @@ int Rotor::getValueforFGSet(int j,char *
+ else
+ if (j==3)
+ {
+- sprintf(text,"/rotors/%s/rpm", _name);
++ snprintf(text, 256, "/rotors/%s/rpm", _name);
+ *f=(_balance1>-1)?_omega/2/pi*60:0;
+ }
+ else
+ if (j==4)
+ {
+- sprintf(text,"/rotors/%s/tilt/pitch-deg",_name);
++ snprintf(text, 256, "/rotors/%s/tilt/pitch-deg",_name);
+ *f=_tilt_pitch*180/pi;
+ }
+ else if (j==5)
+ {
+- sprintf(text,"/rotors/%s/tilt/roll-deg",_name);
++ snprintf(text, 256, "/rotors/%s/tilt/roll-deg",_name);
+ *f=_tilt_roll*180/pi;
+ }
+ else if (j==6)
+ {
+- sprintf(text,"/rotors/%s/tilt/yaw-deg",_name);
++ snprintf(text, 256, "/rotors/%s/tilt/yaw-deg",_name);
+ *f=_tilt_yaw*180/pi;
+ }
+ else if (j==7)
+ {
+- sprintf(text,"/rotors/%s/balance", _name);
++ snprintf(text, 256, "/rotors/%s/balance", _name);
+ *f=_balance1;
+ }
+ else if (j==8)
+ {
+- sprintf(text,"/rotors/%s/stall",_name);
++ snprintf(text, 256, "/rotors/%s/stall",_name);
+ *f=getOverallStall();
+ }
+ else if (j==9)
+ {
+- sprintf(text,"/rotors/%s/torque",_name);
++ snprintf(text, 256, "/rotors/%s/torque",_name);
+ *f=-_torque;;
+ }
+ else
+@@ -344,7 +344,7 @@ int Rotor::getValueforFGSet(int j,char *
+ return 0;
+ }
+ int w=j%3;
+- sprintf(text,"/rotors/%s/blade[%i]/%s",
++ snprintf(text, 256, "/rotors/%s/blade[%i]/%s",
+ _name,b,
+ w==0?"position-deg":(w==1?"flap-deg":"incidence-deg"));
+ *f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi
More information about the scm-commits
mailing list