A potential out-of stack-based buffer bounds write flaw was reported: [1] http://sourceforge.net/mailarchive/message.php?msg_id=29011989 in the way Flight Gear, the flight simulator, retrieved rotor name for certain rotor models. A remote attacker could provide a specially-crafted rotor model XML data file, which once opened by a local, unsuspecting user in FlightGear would lead to 'fgfs' executable crash. CVE Request: [2] http://www.openwall.com/lists/oss-security/2012/04/10/9 CVE Assignment: [3] http://www.openwall.com/lists/oss-security/2012/04/10/13 Upstream patch: None as of right now. Note: Report [1] mentions possibility of stack buffer overflow also in SimGear's: simgear/simgear/simgear/io/sg_socket_udp.cxx: line 101 int SGSocketUDP::read( char *buf, int length ) { . . . line 108 if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) { routine. Though I am not sure, how that one could be exploited remotely by the attacker, thus didn't include that use case here.
Created FlightGear tracking bugs for this issue Affects: fedora-all [bug 811634]
FlightGear-2.4.0-2.fc16, SimGear-2.4.0-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
FlightGear-2.6.0-2.fc17, SimGear-2.6.0-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
FlightGear-2.0.0-6.fc15, SimGear-2.0.0-6.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.