Bug 6423

Summary: flightgear/simgear new security issues CVE-2012-2090 and CVE-2012-2091
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: fundawang, lists.jjorge, olivier.delaune, qa-bugs, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/501450/
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA1-64-OK MGA1-32-OK MGA2-32-OK
Source RPM: flightgear-2.0.0-4.1.mga1.src.rpm, simgear-2.0.0-3.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-06-11 21:24:22 CEST 
Fedora has issued advisories on May 31:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082001.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082002.html

Those advisories are for Fedora 17, and affect the same versions of flightgear and simgear that we have in Mageia 2 and Cauldron.

This issue also affects Mageia 1, and the advisories for Fedora 15 have the same versions as we have in Mageia 1:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082016.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082017.html
David Walser 2012-06-15 00:01:19 CEST

Whiteboard: (none) => MGA1TOO

David Walser 2012-06-15 00:04:04 CEST

CC: (none) => lists.jjorge

David Walser 2012-06-15 00:04:15 CEST

CC: (none) => fundawang

David Walser 2012-06-16 15:26:40 CEST

Assignee: bugsquad => lists.jjorge

Comment 1 José Jorge 2012-06-19 22:08:26 CEST 
For Mageia 2 : simgear-2.6.0-1.1.mga2 and flightgear-2.6.0-2.1.mga2 submitted, please test.

Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs

Comment 2 José Jorge 2012-06-19 22:26:40 CEST 
For Mageia 1 : simgear-2.0.0-3.1.mga1 and flightgear-2.0.0-4.2.mga1 submitted, please test.

The patches were also applied to Cauldron.
Comment 3 David Walser 2012-06-19 23:01:30 CEST 
The flightgear build for Cauldron failed.

Version: 2 => Cauldron
Whiteboard: MGA1TOO => MGA2TOO, MGA1TOO

Comment 4 David Walser 2012-06-19 23:03:00 CEST 
(In reply to comment #3)
> The flightgear build for Cauldron failed.

CMake Error at /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:97 (MESSAGE):
  Could NOT find GLUT (missing: GLUT_glut_LIBRARY GLUT_INCLUDE_DIR)
Call Stack (most recent call first):
  /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:288 (_FPHSA_FAILURE_MESSAGE)
  /usr/share/cmake/Modules/FindGLUT.cmake:68 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
  utils/fgpanel/CMakeLists.txt:4 (find_package)

Early in the "cmake" process, it looks like it can't find GLUT.

Missing BuildRequires?
Comment 5 David Walser 2012-06-19 23:06:16 CEST 
Packages uploaded to updates_testing:
flightgear-2.0.0-4.2.mga1
libsimgear2.0.0-2.0.0-3.1.mga1
libsimgear-devel-2.0.0-3.1.mga1
flightgear-2.6.0-2.1.mga2
simgear-devel-2.6.0-1.1.mga2.i586.rpm

from SRPMS:
flightgear-2.0.0-4.2.mga1
simgear-2.0.0-3.1.mga1
flightgear-2.6.0-2.1.mga2
simgear-2.6.0-1.1.mga2

Seems strange that simgear isn't libified in mga2...
Comment 6 David Walser 2012-06-19 23:07:10 CEST 
Assigning back to José until flightear in Cauldron is fixed.

CC: (none) => qa-bugs
Assignee: qa-bugs => lists.jjorge

Comment 7 José Jorge 2012-06-20 09:17:22 CEST 
Cauldron is fixed, please test 1 and 2 updates.

Assignee: lists.jjorge => qa-bugs

Comment 8 claire robinson 2012-06-20 10:14:22 CEST 
José could you please supply an advisory.

https://wiki.mageia.org/en/Example_update_advisory_announcement

Thankyou.
claire robinson 2012-06-20 10:14:56 CEST

Hardware: i586 => All
Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 9 David Walser 2012-06-20 13:10:01 CEST 
Thanks José.  I had signed it back to you since we can't leave Cauldron hanging.

Advisory:
========================

Updated flightgear and simgear packages fix security vulnerability:

Multiple buffer overflows in FlightGear 2.6 and earlier and SimGear
2.6 and earlier allow user-assisted remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
(1) long string in a rotor tag of an aircraft xml model to the
Rotor::getValueforFGSet function in src/FDM/YASim/Rotor.cpp or
(2) a crafted UDP packet to the SGSocketUDP::read function in
simgear/simgear/simgear/io/sg_socket_udp.cxx (CVE-2012-2091).

Multiple format string vulnerabilities in FlightGear 2.6 and earlier
and SimGear 2.6 and earlier allow user-assisted remote attackers to
cause a denial of service and possibly execute arbitrary code via
format string specifiers in certain data chunk values in an aircraft
xml model to (1) fgfs/flightgear/src/Cockpit/panel.cxx or
(2) fgfs/flightgear/src/Network/generic.cxx, or (3) a scene graph
model to simgear/simgear/scene/model/SGText.cxx (CVE-2012-2090).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2091
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082001.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082002.html
========================

Updated packages in core/updates_testing:
========================
flightgear-2.0.0-4.2.mga1
libsimgear2.0.0-2.0.0-3.1.mga1
libsimgear-devel-2.0.0-3.1.mga1
flightgear-2.6.0-2.1.mga2
simgear-devel-2.6.0-1.1.mga2.i586.rpm

from SRPMS:
flightgear-2.0.0-4.2.mga1.src.rpm
simgear-2.0.0-3.1.mga1.src.rpm
flightgear-2.6.0-2.1.mga2.src.rpm
simgear-2.6.0-1.1.mga2.src.rpm
Manuel Hiebel 2012-06-20 22:58:14 CEST

Source RPM: flightgear-2.6.0-2.mga2.src.rpm, simgear-2.6.0-1.mga2.src.rpm, flightgear-2.0.0-4.1.mga1.src.rpm, simgear-2.0.0-3.mga1.src.rpm => flightgear-2.0.0-4.1.mga1.src.rpm, simgear-2.0.0-3.mga1.src.rpm

Comment 10 Olivier Delaune 2012-06-29 09:08:58 CEST 
Testing on Mageia 2 64-bits and it seems to work fine. I do not know how to "play" so I do not have test a long time but the software runs correctly and I can do something with the different menus.

CC: (none) => olivier.delaune

Samuel Verschelde 2012-07-08 14:27:04 CEST

CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK

Comment 11 Samuel Verschelde 2012-07-08 14:40:35 CEST 
Testing Mageia 1 64 bits ok.

Whiteboard: MGA1TOO MGA2-64-OK => MGA1TOO MGA2-64-OK MGA1-64-OK

Comment 12 Samuel Verschelde 2012-07-21 21:34:15 CEST 
No regression found in Mageia 1 32 bits, but each version of flightgear I tested (release, updates and updates_testing), after playing a bit, displays lots of errors in console, has problems with the plane's position, or simply crashes (try to select another airport for example, or to set a specific position, often causes it to crash).

Independently from this very bug report, for which I see no problem for validation (no regression found), wouldn't there be less bugged versions out there that we could provide instead of that 2.0.0 which, if that's not due to packaging errors, seems buggy?

Whiteboard: MGA1TOO MGA2-64-OK MGA1-64-OK => MGA1TOO MGA2-64-OK MGA1-64-OK MGA1-32-OK

Comment 13 Samuel Verschelde 2012-07-31 12:55:28 CEST 
Still needs testing Mageia 2 32 bits, and in parallel I'm still interested in an answer to comment #12 :)

Testing procedure:
- after installing simgear and flightgear from updates testing, just start the game from the menu. Try to play with it a bit if you like, but having it start should be enough for this update candidate.

Whiteboard: MGA1TOO MGA2-64-OK MGA1-64-OK MGA1-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA1-64-OK MGA1-32-OK

Comment 14 claire robinson 2012-07-31 15:13:23 CEST 
Testing mga2 32

I'll only be able to start it (hopefully), that computer won't run the game.
Comment 15 claire robinson 2012-07-31 16:58:17 CEST 
It might be my old computer is the problem, it has needed to use vesa driver since it was upgraded to mga2 and is not running well but the release version doesn't start for me, after about 5 mins of trying..

Before
------
$ fgfs
KI266 dme indicator #0 initialized
loading scenario 'nimitz_demo'
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
jack server is not running or cannot be started
PNG lib warning : Malformed iTXt chunk
creating 3D noise texture... DONE
PNG lib warning : Interlace handling should be turned on when using png_read_image
PNG lib warning : Interlace handling should be turned on when using png_read_image
weather util initialized ...
Initializing Nasal Electrical System
power up
Segmentation fault

After
-----
$ fgfs
KI266 dme indicator #0 initialized
loading scenario 'nimitz_demo'
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
jack server is not running or cannot be started
PNG lib warning : Malformed iTXt chunk
creating 3D noise texture... DONE
PNG lib warning : Interlace handling should be turned on when using png_read_image
PNG lib warning : Interlace handling should be turned on when using png_read_image
weather util initialized ...
Initializing Nasal Electrical System
power up


No regressions noticed but no real testing done either, it is unbearably slow.

It might be better if somebody else was able to test i586 Mageia 2
Comment 16 Samuel Verschelde 2012-07-31 20:22:31 CEST 
Testing complete Mageia 2 32. Just started the game and pushed a few buttons.

Update validated. No linking required. Thanks!

See comment #9 for advisory and packages.

José, I let you see in the comments if our findings deserve a bug report and/or a new update to address them (after we push this one)

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA1-64-OK MGA1-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA1-64-OK MGA1-32-OK MGA2-32-OK

Comment 17 Thomas Backlund 2012-08-02 21:59:10 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0191

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED