[pkg-fgfs-crew] [simgear] 01/01: Correct an off-by-one bug in patch CVE-2012-2091.diff. Correct reference to closed bug in 2.10.0-2.
Markus Wanner
markus_wanner-guest at alioth.debian.org
Sun Sep 8 08:21:53 UTC 2013
This is an automated email from the git hooks/post-receive script.
markus_wanner-guest pushed a commit to branch master
in repository simgear.
commit f8fa950c78a261b46567437cf8b96f76a7acda58
Author: Markus Wanner <markus at bluegap.ch>
Date: Sun Sep 8 10:18:52 2013 +0200
Correct an off-by-one bug in patch CVE-2012-2091.diff.
Correct reference to closed bug in 2.10.0-2.
---
debian/changelog | 8 +++++++-
debian/patches/CVE-2012-2091.diff | 27 +++++++++++++++++----------
2 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1f4f155..8ae0386 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+simgear (2.10.0-3) UNRELEASED; urgency=low
+
+ * Correct an off-by-one bug in patch CVE-2012-2091.diff.
+
+ --
+
simgear (2.10.0-2) unstable; urgency=low
[ Scott Kitterman ]
@@ -6,7 +12,7 @@ simgear (2.10.0-2) unstable; urgency=low
[ Markus Wanner ]
* Fix for CVE-2012-2090: prevent %n being passed to format
- strings. Together with the above fix, this closes: #669025.
+ strings. Together with the above fix, this closes: #669024.
* Update copyright file. Now in DEP-5 style.
-- Markus Wanner <markus at bluegap.ch> Sat, 07 Sep 2013 21:18:10 +0200
diff --git a/debian/patches/CVE-2012-2091.diff b/debian/patches/CVE-2012-2091.diff
index 6bfb60f..11a24cd 100644
--- a/debian/patches/CVE-2012-2091.diff
+++ b/debian/patches/CVE-2012-2091.diff
@@ -1,28 +1,35 @@
Subject: Fix for CVE-2012-2091: add checks against buffer overruns
- CVE-2012-2091 mentions various buffer overruns in simgear and flightgear.
+ CVE-2012-2091 mentions various buffer overruns in simgear and
flightgear. This patch addresses issues in SGSocketUDP::read() and
SGSocketUDP::readline() - for simgear only, obviously.
From: Rebecca Palmer, Saikrishna Arcot
Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3806309/+files/simgear_CVE2012_2091.patch
-Last-Update: 2013-09-06
+Last-Update: 2013-09-07
--- a/simgear/io/sg_socket_udp.cxx
+++ b/simgear/io/sg_socket_udp.cxx
-@@ -104,8 +104,12 @@
+@@ -103,9 +103,13 @@
+ return 0;
}
- int result;
-+ if (length < 0) {
-+ length = 0;
++ if (length <= 0) {
++ return 0;
+ }
-+ int maxsize = length < SG_IO_MAX_MSG_SIZE ? length : SG_IO_MAX_MSG_SIZE;
+ int result;
++ int maxsize = (length - 1) < SG_IO_MAX_MSG_SIZE ? (length - 1) : SG_IO_MAX_MSG_SIZE;
- if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) {
+ if ( (result = sock.recv(buf, maxsize, 0)) >= 0 ) {
buf[result] = '\0';
// printf("msg received = %s\n", buf);
}
-@@ -123,7 +127,8 @@
+@@ -120,10 +124,14 @@
+ return 0;
+ }
+
++ if (length <= 0) {
++ return 0;
++ }
// cout << "sock = " << sock << endl;
char *buf_ptr = save_buf + save_len;
@@ -32,11 +39,11 @@ Last-Update: 2013-09-06
// printf("msg received = %s\n", buf);
save_len += result;
-@@ -142,6 +147,7 @@
+@@ -142,6 +150,7 @@
// we found an end of line
// copy to external buffer
-+ result = result < length ? result : length; //prevent buffer overflow
++ result = result < (length - 1) ? result : (length - 1); //prevent buffer overflow
strncpy( buf, save_buf, result );
buf[result] = '\0';
// cout << "sg_socket line = " << buf << endl;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/simgear.git
More information about the pkg-fgfs-crew
mailing list