[SimGear/f15] check to be sure that %n is not being set as format type (CVE-2012-2090)

Tom Callaway spot at fedoraproject.org
Wed May 30 01:37:13 UTC 2012 

commit 05272a10cb7eb330144b22553c377925a2906f62
Author: Tom Callaway <spot at fedoraproject.org>
Date:   Tue May 29 21:37:10 2012 -0400

    check to be sure that %n is not being set as format type (CVE-2012-2090)

 SimGear.spec                                      |    8 +++++++-
 simgear-2.6.0-check-for-%n-in-format-string.patch |   20 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/SimGear.spec b/SimGear.spec
index e1ec66e..6f4a1fc 100644
--- a/SimGear.spec
+++ b/SimGear.spec
@@ -1,6 +1,6 @@
 Name:		SimGear
 Version:	2.0.0
-Release:	5%{?dist}
+Release:	6%{?dist}
 License:	GPLv2+
 Group:		System Environment/Libraries
 Summary:	Simulation library components
@@ -13,6 +13,7 @@ Patch2:		SimGear-2.0.0-untangle-cloudfield.patch
 Patch3:		SimGear-2.0.0-untangle-timestamp.patch
 Patch4:		SimGear-2.0.0-more-archs.patch
 Patch5:		SimGear-2.0.0-expat.patch
+Patch6:		simgear-2.6.0-check-for-%n-in-format-string.patch
 Patch100:	SimGear-1.9.0-headers.patch
 BuildRequires:	openal-soft-devel, plib-devel >= 1.8.5
 BuildRequires:	OpenSceneGraph-devel >= 2.8.0
@@ -51,6 +52,8 @@ SimGear.
 %patch4 -p1
 # Use expat
 %patch5 -p1 -b .expat
+# check for %n in format string (CVE-2012-2090)
+%patch6 -p1 -b .checkforn
 
 chmod -x simgear/screen/GLBitmaps.cxx \
 	simgear/scene/model/persparam.?xx \
@@ -125,6 +128,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libsgxml.so
 
 %changelog
+* Tue May 29 2012 Tom Callaway <spot at fedoraproject.org> 2.0.0-6
+- check to be sure that %n is not being set as format type (CVE-2012-2090)
+
 * Wed Apr 20 2011 Tom Callaway <spot at fedoraproject.org> 2.0.0-5
 - nuke old bundled copy of expat, use system expat (resolves 691934)
 
diff --git a/simgear-2.6.0-check-for-%n-in-format-string.patch b/simgear-2.6.0-check-for-%n-in-format-string.patch
new file mode 100644
index 0000000..8eaea1d
--- /dev/null
+++ b/simgear-2.6.0-check-for-%n-in-format-string.patch
@@ -0,0 +1,20 @@
+diff -up simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn simgear-2.6.0/simgear/scene/model/SGText.cxx
+--- simgear-2.6.0/simgear/scene/model/SGText.cxx.checkforn	2012-02-17 17:38:44.563895660 -0500
++++ simgear-2.6.0/simgear/scene/model/SGText.cxx	2012-05-29 20:31:35.347601886 -0400
+@@ -65,6 +65,16 @@ void SGText::UpdateCallback::operator()(
+   // FIXME:
+   // hopefully the users never specifies bad formats here
+   // this should better be something more robust
++  // It is never safe for format.c_str to be %n.
++  string unsafe ("%n");
++  size_t found;
++
++  found=format.find(unsafe);
++  if (found!=string::npos) {
++     SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe, reverting to %s");
++     format = "%s";
++  }
++
+   char buf[256];
+   if( numeric ) {
+     double d = property->getDoubleValue() * scale + offset;

More information about the scm-commits mailing list