[FlightGear/f18] fix another uncontrolled format string vulnerability (#958312)
Fabrice Bellet
bellet at fedoraproject.org
Sun May 19 14:58:21 UTC 2013
commit 118867948976d169f000266bf8245df92e6cace1
Author: Fabrice Bellet <fabrice at bellet.info>
Date: Sun May 19 16:58:12 2013 +0200
fix another uncontrolled format string vulnerability (#958312)
...-sure-that-n-is-not-being-set-as-format-t.patch | 42 ++++++++++++++-----
FlightGear.spec | 5 ++-
2 files changed, 35 insertions(+), 12 deletions(-)
---
diff --git a/0001-check-to-be-sure-that-n-is-not-being-set-as-format-t.patch b/0001-check-to-be-sure-that-n-is-not-being-set-as-format-t.patch
index bd0e849..1b033cf 100644
--- a/0001-check-to-be-sure-that-n-is-not-being-set-as-format-t.patch
+++ b/0001-check-to-be-sure-that-n-is-not-being-set-as-format-t.patch
@@ -1,16 +1,17 @@
-From e248cdad7bb3ca27bb598b87a18162c90ded5f26 Mon Sep 17 00:00:00 2001
+From 611140c83aefbd72a8e099dce8595e1d6fc85766 Mon Sep 17 00:00:00 2001
From: Fabrice Bellet <fabrice at bellet.info>
-Date: Fri, 20 Jul 2012 16:34:05 +0200
+Date: Sun, 19 May 2013 16:53:09 +0200
Subject: [PATCH 1/3] check to be sure that %n is not being set as format type
(CVE-2012-2090)
---
- src/Cockpit/panel.cxx | 28 ++++++++++++++++++++++++++--
- src/Network/generic.cxx | 9 +++++++++
- 2 files changed, 35 insertions(+), 2 deletions(-)
+ src/Cockpit/panel.cxx | 26 +++++++++++++++++++++++++-
+ src/Environment/fgclouds.cxx | 9 +++++++++
+ src/Network/generic.cxx | 9 +++++++++
+ 3 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/src/Cockpit/panel.cxx b/src/Cockpit/panel.cxx
-index 3fbc199..c099aa8 100644
+index 3fbc199..09fb885 100644
--- a/src/Cockpit/panel.cxx
+++ b/src/Cockpit/panel.cxx
@@ -1174,8 +1174,18 @@ FGTextLayer::Chunk::Chunk (const string &text, const string &fmt)
@@ -18,11 +19,10 @@ index 3fbc199..c099aa8 100644
{
_text = text;
- if (_fmt.empty())
-- _fmt = "%s";
+ if (_fmt.empty()) {
-+ _fmt = "%s";
+ _fmt = "%s";
+ } else {
-+ // It is never safe for _fmt.c_str to be %n.
++ // It is never safe for _fmt.c_str to be %n.
+ string unsafe ("%n");
+ size_t found;
+ found=_fmt.find(unsafe);
@@ -30,7 +30,7 @@ index 3fbc199..c099aa8 100644
+ SG_LOG(SG_COCKPIT, SG_WARN, "format type contained %n, but this is unsafe, reverting to %s");
+ _fmt = "%s";
+ }
-+ }
++ }
}
FGTextLayer::Chunk::Chunk (ChunkType type, const SGPropertyNode * node,
@@ -55,6 +55,26 @@ index 3fbc199..c099aa8 100644
}
_node = node;
}
+diff --git a/src/Environment/fgclouds.cxx b/src/Environment/fgclouds.cxx
+index d5db1ed..33b9f42 100644
+--- a/src/Environment/fgclouds.cxx
++++ b/src/Environment/fgclouds.cxx
+@@ -224,6 +224,15 @@ void FGClouds::buildLayer(int iLayer, const string& name, double coverage) {
+ tCloudVariety[CloudVarietyCount].count = count;
+ int variety = 0;
+ cloud_name = cloud_name + "-%d";
++ // It is never safe for cloud_name.c_str to be %n.
++ string unsafe ("%n");
++ size_t found;
++
++ found=cloud_name.find(unsafe);
++ if (found!=string::npos) {
++ SG_LOG(SG_GENERAL, SG_ALERT, "format type contained %n, but this is unsafe , ignore it");
++ continue;
++ }
+ char variety_name[50];
+ do {
+ variety++;
diff --git a/src/Network/generic.cxx b/src/Network/generic.cxx
index 21f048c..96f6364 100644
--- a/src/Network/generic.cxx
@@ -83,5 +103,5 @@ index 21f048c..96f6364 100644
case FG_INT:
val = _out_message[i].offset +
--
-1.7.10.4
+1.8.1.4
diff --git a/FlightGear.spec b/FlightGear.spec
index 86a8f5d..e800a13 100644
--- a/FlightGear.spec
+++ b/FlightGear.spec
@@ -1,7 +1,7 @@
Name: FlightGear
Summary: The FlightGear Flight Simulator
Version: 2.8.0
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: Amusements/Games
Source0: http://mirrors.ibiblio.org/pub/mirrors/flightgear/ftp/Source/flightgear-%{version}.tar.bz2
@@ -120,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/icons/hicolor/*/apps/*
%changelog
+* Sun May 19 2013 Fabrice Bellet <fabrice at bellet.info> - 2.8.0-2
+- fix another uncontrolled format string vulnerability (#958312)
+
* Tue Sep 11 2012 Fabrice Bellet <fabrice at bellet.info> 2.8.0-1
- new upstream release
More information about the scm-commits
mailing list