Bug 10351 - flightgear new format string vulnerability
Summary: flightgear new format string vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/552175/
Whiteboard: MGA2TOO mga3-32-ok MGA3-64-OK MGA2-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-05-29 22:57 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: flightgear-2.10.0-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-05-29 22:57:05 CEST
Fedora has issued an advisory on May 21:
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106922.html

Mageia 2 and 3 are affected.  Patches can be found in Fedora GIT.

Reproducible: 

Steps to Reproduce:
David Walser 2013-05-29 22:57:12 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 José Jorge 2013-06-02 22:05:37 CEST
I have uploaded a patched/updated package for Mageia 2 and 3.

As the patch is simply copied from Fedora, and I have found no exploit for it, I suggest to only ensure Flightgear still works lauching it with fgfs.
Be carefull as it needs at least 2GB RAM and a good 3D video card.


Suggested advisory:
========================

Updated flightgear packages fix security vulnerabilities:

It was reported [1] that FlightGear suffers from improper handling of format strings when FlightGear is started with allowances for remote access (via the --props or --telnet commandline arguments).  If a remote attacker were able to connect to FlightGear and set special parameters related with clouds, it could cause FlightGear to crash.

References:
http://lwn.net/Vulnerabilities/552175/
http://pkgs.fedoraproject.org/cgit/FlightGear.git/commit/?id=0c3bbb0f10bb7f313d3ae627b6fbcccfbbc224c3
========================

Updated packages in core/updates_testing:
========================
MGA3 flightgear-2.10.0-1.1.mga3
MGA2 flightgear-2.6.0-2.3.mga2

Source RPMs: 
MGA3 flightgear-2.10.0-1.1.mga3
MGA2 flightgear-2.6.0-2.3.mga2

Status: NEW => ASSIGNED

José Jorge 2013-06-02 22:08:15 CEST

Assignee: lists.jjorge => qa-bugs

Comment 2 David Walser 2013-06-02 22:12:58 CEST
Thanks José!

The FlightGear blog post has an exploit.  Just tweaking the advisory a bit (removing [1], adding line endings, and fixing references).

Suggested advisory:
========================

Updated flightgear package fixes security vulnerability:

It was reported that FlightGear suffers from improper handling of format
strings when FlightGear is started with allowances for remote access (via
the --props or --telnet commandline arguments).  If a remote attacker were
able to connect to FlightGear and set special parameters related with clouds,
it could cause FlightGear to crash.

References:
http://kuronosec.blogspot.ca/2013/04/flightgear-remote-format-string.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106922.html
========================

Updated packages in core/updates_testing:
========================
MGA3 flightgear-2.10.0-1.1.mga3
MGA2 flightgear-2.6.0-2.3.mga2

Source RPMs: 
MGA3 flightgear-2.10.0-1.1.mga3
MGA2 flightgear-2.6.0-2.3.mga2

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

David Walser 2013-06-02 22:13:40 CEST

CC: (none) => lists.jjorge

Comment 3 claire robinson 2013-06-03 14:57:51 CEST
Sorry, the following package cannot be selected:

- flightgear-2.10.0-1.1.mga3.x86_64 (due to unsatisfied flightgear-base[== 2.10.0-1.1.mga3])


$ rpm -qa | grep flightgear
flightgear-2.10.0-1.mga3
flightgear-data-2.10.0-1.mga3
Comment 4 David Walser 2013-06-03 15:03:58 CEST
Indeed, line 27 in this change is incorrect:
http://svnweb.mageia.org/packages/cauldron/flightgear/current/SPECS/flightgear.spec?r1=389214&r2=399096

You can't require %{version}-%{release} if it's coming from a different SRPM (flightgear-base is provided by flightgear-data).  You should just require %{version} at most.

Is there a specific reason it's using flightgear-base instead of flightgear-data for the require?  That just seems pointless and confusing.
Comment 5 claire robinson 2013-06-03 15:09:51 CEST
Looking at the svnweb link, it seems it also changes the rpm group to Games/Other from Games/Simulation
Comment 6 José Jorge 2013-06-03 17:21:01 CEST
(In reply to claire robinson from comment #5)
> Looking at the svnweb link, it seems it also changes the rpm group to
> Games/Other from Games/Simulation

Oh yes, this category did not exist for in our rpm groups policy at the time. I bring it back. So this is now 3 subrel, 1 and 2 are to be removed.

flightgear-2.10.0-1.3.mga3
Comment 7 David Walser 2013-06-03 17:55:54 CEST
Thanks José.  Updating the subrel in the packages.

Suggested advisory:
========================

Updated flightgear package fixes security vulnerability:

It was reported that FlightGear suffers from improper handling of format
strings when FlightGear is started with allowances for remote access (via
the --props or --telnet commandline arguments).  If a remote attacker were
able to connect to FlightGear and set special parameters related with clouds,
it could cause FlightGear to crash.

References:
http://kuronosec.blogspot.ca/2013/04/flightgear-remote-format-string.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106922.html
========================

Updated packages in core/updates_testing:
========================
MGA3 flightgear-2.10.0-1.3.mga3
MGA2 flightgear-2.6.0-2.3.mga2

Source RPMs: 
MGA3 flightgear-2.10.0-1.3.mga3
MGA2 flightgear-2.6.0-2.3.mga2
Comment 8 claire robinson 2013-06-03 19:20:41 CEST
Testing completed mga3 32

Just followed the in game tutorial a bit.

Whiteboard: MGA2TOO => MGA2TOO mga3-32-ok

Comment 9 Dave Hodgins 2013-06-03 21:34:01 CEST
Testing complete Mageia 3 x86_64, Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
flightgear-2.10.0-1.3.mga3
from Mageia 3 Core Updates Testing to Core Updates and the srpm
flightgear-2.6.0-2.3.mga2
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated flightgear package fixes security vulnerability:

It was reported that FlightGear suffers from improper handling of format
strings when FlightGear is started with allowances for remote access (via
the --props or --telnet commandline arguments).  If a remote attacker were
able to connect to FlightGear and set special parameters related with clouds,
it could cause FlightGear to crash.

References:
http://kuronosec.blogspot.ca/2013/04/flightgear-remote-format-string.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106922.html

https://bugs.mageia.org/show_bug.cgi?id=10351

Keywords: (none) => validated_update
Whiteboard: MGA2TOO mga3-32-ok => MGA2TOO mga3-32-ok MGA3-64-OK MGA2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Nicolas Vigier 2013-06-06 21:44:03 CEST
Packages have been pushed to updates.

Status: ASSIGNED => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:23 CEST

CC: boklm => (none)


Note You need to log in before you can comment on or make changes to this bug.