Package: simgear Version: 2.10.0-1 Followup-For: Bug #669024 Please see that attached patch.
Scott K
diff -Nru simgear-2.10.0/debian/changelog simgear-2.10.0/debian/changelog --- simgear-2.10.0/debian/changelog 2013-08-28 16:24:56.000000000 -0400 +++ simgear-2.10.0/debian/changelog 2013-09-06 18:03:13.000000000 -0400 @@ -1,3 +1,13 @@ +simgear (2.10.0-2) UNRELEASED; urgency=high + + * SECURITY UPDATE: + * References + * CVE2012_2091 + * Add debian/patches/simgear_CVE2012_2091.patch + - Thanks to Rebecca Palmer for the patch + + -- Scott Kitterman <sc...@kitterman.com> Fri, 06 Sep 2013 18:02:22 -0400 + simgear (2.10.0-1) experimental; urgency=low * New upstream release. (Closes: #718380, #701357) diff -Nru simgear-2.10.0/debian/patches/series simgear-2.10.0/debian/patches/series --- simgear-2.10.0/debian/patches/series 2013-08-27 13:04:53.000000000 -0400 +++ simgear-2.10.0/debian/patches/series 2013-09-06 18:02:05.000000000 -0400 @@ -1,2 +1,3 @@ gcc-macro-correction.diff osg-compat.diff +simgear_CVE2012_2091.patch diff -Nru simgear-2.10.0/debian/patches/simgear_CVE2012_2091.patch simgear-2.10.0/debian/patches/simgear_CVE2012_2091.patch --- simgear-2.10.0/debian/patches/simgear_CVE2012_2091.patch 1969-12-31 19:00:00.000000000 -0500 +++ simgear-2.10.0/debian/patches/simgear_CVE2012_2091.patch 2013-09-06 18:01:42.000000000 -0400 @@ -0,0 +1,37 @@ +Patch from Rebecca Palmer +https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/comments/72 +diff -up simgear-2.10.0/simgear/io/sg_socket_udp.cxx simgear-2.10.0/simgear/io/sg_socket_udp_fixed.cxx +--- simgear-2.10.0/simgear/io/sg_socket_udp.cxx 2012-01-04 20:12:22.000000000 +0000 ++++ simgear-2.10.0/simgear/io/sg_socket_udp_fixed.cxx 2013-09-06 20:39:24.005416164 +0100 +@@ -104,8 +104,12 @@ int SGSocketUDP::read( char *buf, int le + } + + int result; ++ if (length < 0) { ++ length = 0; ++ } ++ int maxsize = length < SG_IO_MAX_MSG_SIZE ? length : SG_IO_MAX_MSG_SIZE; + +- if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) { ++ if ( (result = sock.recv(buf, maxsize, 0)) >= 0 ) { + buf[result] = '\0'; + // printf("msg received = %s\n", buf); + } +@@ -123,7 +127,8 @@ int SGSocketUDP::readline( char *buf, in + // cout << "sock = " << sock << endl; + + char *buf_ptr = save_buf + save_len; +- int result = sock.recv(buf_ptr, SG_IO_MAX_MSG_SIZE, 0); ++ int maxsize = save_len < SG_IO_MAX_MSG_SIZE ? SG_IO_MAX_MSG_SIZE : 2 * SG_IO_MAX_MSG_SIZE - save_len; //prevent buffer overflow (size of save_buf is 2 * SG_IO_MAX_MSG_SIZE) ++ int result = sock.recv(buf_ptr, maxsize, 0); + // printf("msg received = %s\n", buf); + save_len += result; + +@@ -142,6 +147,7 @@ int SGSocketUDP::readline( char *buf, in + // we found an end of line + + // copy to external buffer ++ result = result < length ? result : length; //prevent buffer overflow + strncpy( buf, save_buf, result ); + buf[result] = '\0'; + // cout << "sg_socket line = " << buf << endl;
