Bug 6423 - flightgear/simgear new security issues CVE-2012-2090 and CVE-2012-2091
: flightgear/simgear new security issues CVE-2012-2090 and CVE-2012-2091
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/501450/
: MGA1TOO has_procedure MGA2-64-OK MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-11 21:24 CEST by David Walser
Modified: 2012-08-02 21:59 CEST (History)
7 users (show)

See Also:
Source RPM: flightgear-2.0.0-4.1.mga1.src.rpm, simgear-2.0.0-3.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-06-11 21:24:22 CEST
Fedora has issued advisories on May 31:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082001.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082002.html

Those advisories are for Fedora 17, and affect the same versions of flightgear and simgear that we have in Mageia 2 and Cauldron.

This issue also affects Mageia 1, and the advisories for Fedora 15 have the same versions as we have in Mageia 1:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082016.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082017.html
Comment 1 José Jorge 2012-06-19 22:08:26 CEST
For Mageia 2 : simgear-2.6.0-1.1.mga2 and flightgear-2.6.0-2.1.mga2 submitted, please test.
Comment 2 José Jorge 2012-06-19 22:26:40 CEST
For Mageia 1 : simgear-2.0.0-3.1.mga1 and flightgear-2.0.0-4.2.mga1 submitted, please test.

The patches were also applied to Cauldron.
Comment 3 David Walser 2012-06-19 23:01:30 CEST
The flightgear build for Cauldron failed.
Comment 4 David Walser 2012-06-19 23:03:00 CEST
(In reply to comment #3)
> The flightgear build for Cauldron failed.

CMake Error at /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:97 (MESSAGE):
  Could NOT find GLUT (missing: GLUT_glut_LIBRARY GLUT_INCLUDE_DIR)
Call Stack (most recent call first):
  /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:288 (_FPHSA_FAILURE_MESSAGE)
  /usr/share/cmake/Modules/FindGLUT.cmake:68 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
  utils/fgpanel/CMakeLists.txt:4 (find_package)

Early in the "cmake" process, it looks like it can't find GLUT.

Missing BuildRequires?
Comment 5 David Walser 2012-06-19 23:06:16 CEST
Packages uploaded to updates_testing:
flightgear-2.0.0-4.2.mga1
libsimgear2.0.0-2.0.0-3.1.mga1
libsimgear-devel-2.0.0-3.1.mga1
flightgear-2.6.0-2.1.mga2
simgear-devel-2.6.0-1.1.mga2.i586.rpm

from SRPMS:
flightgear-2.0.0-4.2.mga1
simgear-2.0.0-3.1.mga1
flightgear-2.6.0-2.1.mga2
simgear-2.6.0-1.1.mga2

Seems strange that simgear isn't libified in mga2...
Comment 6 David Walser 2012-06-19 23:07:10 CEST
Assigning back to José until flightear in Cauldron is fixed.
Comment 7 José Jorge 2012-06-20 09:17:22 CEST
Cauldron is fixed, please test 1 and 2 updates.
Comment 8 claire robinson 2012-06-20 10:14:22 CEST
José could you please supply an advisory.

https://wiki.mageia.org/en/Example_update_advisory_announcement

Thankyou.
Comment 9 David Walser 2012-06-20 13:10:01 CEST
Thanks José.  I had signed it back to you since we can't leave Cauldron hanging.

Advisory:
========================

Updated flightgear and simgear packages fix security vulnerability:

Multiple buffer overflows in FlightGear 2.6 and earlier and SimGear
2.6 and earlier allow user-assisted remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
(1) long string in a rotor tag of an aircraft xml model to the
Rotor::getValueforFGSet function in src/FDM/YASim/Rotor.cpp or
(2) a crafted UDP packet to the SGSocketUDP::read function in
simgear/simgear/simgear/io/sg_socket_udp.cxx (CVE-2012-2091).

Multiple format string vulnerabilities in FlightGear 2.6 and earlier
and SimGear 2.6 and earlier allow user-assisted remote attackers to
cause a denial of service and possibly execute arbitrary code via
format string specifiers in certain data chunk values in an aircraft
xml model to (1) fgfs/flightgear/src/Cockpit/panel.cxx or
(2) fgfs/flightgear/src/Network/generic.cxx, or (3) a scene graph
model to simgear/simgear/scene/model/SGText.cxx (CVE-2012-2090).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2091
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082001.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082002.html
========================

Updated packages in core/updates_testing:
========================
flightgear-2.0.0-4.2.mga1
libsimgear2.0.0-2.0.0-3.1.mga1
libsimgear-devel-2.0.0-3.1.mga1
flightgear-2.6.0-2.1.mga2
simgear-devel-2.6.0-1.1.mga2.i586.rpm

from SRPMS:
flightgear-2.0.0-4.2.mga1.src.rpm
simgear-2.0.0-3.1.mga1.src.rpm
flightgear-2.6.0-2.1.mga2.src.rpm
simgear-2.6.0-1.1.mga2.src.rpm
Comment 10 Olivier Delaune 2012-06-29 09:08:58 CEST
Testing on Mageia 2 64-bits and it seems to work fine. I do not know how to "play" so I do not have test a long time but the software runs correctly and I can do something with the different menus.
Comment 11 Samuel Verschelde 2012-07-08 14:40:35 CEST
Testing Mageia 1 64 bits ok.
Comment 12 Samuel Verschelde 2012-07-21 21:34:15 CEST
No regression found in Mageia 1 32 bits, but each version of flightgear I tested (release, updates and updates_testing), after playing a bit, displays lots of errors in console, has problems with the plane's position, or simply crashes (try to select another airport for example, or to set a specific position, often causes it to crash).

Independently from this very bug report, for which I see no problem for validation (no regression found), wouldn't there be less bugged versions out there that we could provide instead of that 2.0.0 which, if that's not due to packaging errors, seems buggy?
Comment 13 Samuel Verschelde 2012-07-31 12:55:28 CEST
Still needs testing Mageia 2 32 bits, and in parallel I'm still interested in an answer to comment #12 :)

Testing procedure:
- after installing simgear and flightgear from updates testing, just start the game from the menu. Try to play with it a bit if you like, but having it start should be enough for this update candidate.
Comment 14 claire robinson 2012-07-31 15:13:23 CEST
Testing mga2 32

I'll only be able to start it (hopefully), that computer won't run the game.
Comment 15 claire robinson 2012-07-31 16:58:17 CEST
It might be my old computer is the problem, it has needed to use vesa driver since it was upgraded to mga2 and is not running well but the release version doesn't start for me, after about 5 mins of trying..

Before
------
$ fgfs
KI266 dme indicator #0 initialized
loading scenario 'nimitz_demo'
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
jack server is not running or cannot be started
PNG lib warning : Malformed iTXt chunk
creating 3D noise texture... DONE
PNG lib warning : Interlace handling should be turned on when using png_read_image
PNG lib warning : Interlace handling should be turned on when using png_read_image
weather util initialized ...
Initializing Nasal Electrical System
power up
Segmentation fault

After
-----
$ fgfs
KI266 dme indicator #0 initialized
loading scenario 'nimitz_demo'
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
jack server is not running or cannot be started
PNG lib warning : Malformed iTXt chunk
creating 3D noise texture... DONE
PNG lib warning : Interlace handling should be turned on when using png_read_image
PNG lib warning : Interlace handling should be turned on when using png_read_image
weather util initialized ...
Initializing Nasal Electrical System
power up


No regressions noticed but no real testing done either, it is unbearably slow.

It might be better if somebody else was able to test i586 Mageia 2
Comment 16 Samuel Verschelde 2012-07-31 20:22:31 CEST
Testing complete Mageia 2 32. Just started the game and pushed a few buttons.

Update validated. No linking required. Thanks!

See comment #9 for advisory and packages.

José, I let you see in the comments if our findings deserve a bug report and/or a new update to address them (after we push this one)
Comment 17 Thomas Backlund 2012-08-02 21:59:10 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0191

Note You need to log in before you can comment on or make changes to this bug.