[SimGear/f16] check to be sure that %n is not being set as format type (CVE-2012-2090)
Tom Callaway
spot at fedoraproject.org
Wed May 30 01:33:37 UTC 2012
commit 17904601bb72195faac51ad7725ef83cc5f53f6f
Author: Tom Callaway <spot at fedoraproject.org>
Date: Tue May 29 21:33:33 2012 -0400
check to be sure that %n is not being set as format type (CVE-2012-2090)
SimGear.spec | 8 +++++++-
simgear-2.6.0-check-for-%n-in-format-string.patch | 20 ++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/SimGear.spec b/SimGear.spec
index 616e0a1..7fa6d65 100644
--- a/SimGear.spec
+++ b/SimGear.spec
@@ -1,6 +1,6 @@
Name: SimGear
Version: 2.4.0
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Libraries
Summary: Simulation library components
@@ -12,6 +12,7 @@ Patch1: SimGear-2.4.0-dont-build-noinst-programs.patch
Patch2: SimGear-2.4.0-dependencies.patch
Patch4: SimGear-2.0.0-more-archs.patch
Patch5: SimGear-2.4.0-expat.patch
+Patch6: simgear-2.6.0-check-for-%n-in-format-string.patch
Patch100: SimGear-1.9.0-headers.patch
BuildRequires: openal-soft-devel, plib-devel >= 1.8.5
BuildRequires: OpenSceneGraph-devel >= 2.8.0
@@ -51,6 +52,8 @@ SimGear.
%patch4 -p1
# Use expat
%patch5 -p1 -b .expat
+# check for %n in format string (CVE-2012-2090)
+%patch6 -p1 -b .checkforn
# makes rpmlint happy
find -name \*.cxx -o -name \*.hxx | xargs chmod -x
@@ -124,6 +127,9 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libsgxml.so
%changelog
+* Tue May 29 2012 Tom Callaway <spot at fedoraproject.org> 2.4.0-4
+- check to be sure that %n is not being set as format type (CVE-2012-2090)
+
* Fri Sep 09 2011 Fabrice Bellet <fabrice at bellet.info> 2.4.0-3
- Really rebuild against OSG-3.0.1
diff --git a/simgear-2.6.0-check-for-%n-in-format-string.patch b/simgear-2.6.0-check-for-%n-in-format-string.patch
new file mode 100644
index 0000000..8eaea1d
--- /dev/null
+++ b/simgear-2.6.0-check-for-%n-in-format-string.patch
@@ -0,0 +1,20 @@
+diff -up simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn simgear-2.6.0/simgear/scene/model/SGText.cxx
+--- simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn 2012-02-17 17:38:44.563895660 -0500
++++ simgear-2.6.0/simgear/scene/model/SGText.cxx 2012-05-29 20:31:35.347601886 -0400
+@@ -65,6 +65,16 @@ void SGText::UpdateCallback::operator()(
+ // FIXME:
+ // hopefully the users never specifies bad formats here
+ // this should better be something more robust
++ // It is never safe for format.c_str to be %n.
++ string unsafe ("%n");
++ size_t found;
++
++ found=format.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe, reverting to %s");
++ format = "%s";
++ }
++
+ char buf[256];
+ if( numeric ) {
+ double d = property->getDoubleValue() * scale + offset;
More information about the scm-commits
mailing list