[gentoo-announce] [ GLSA 201603-12 ] FlightGear, SimGear: Multiple vulnerabilities - gentoo-announce

From:	Kristian Fiskerstrand <k_f@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201603-12 ] FlightGear, SimGear: Multiple vulnerabilities
Date:	Sat, 12 Mar 2016 23:19:22
Message-Id:	`56E4A256.7020002@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201603-12

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: FlightGear, SimGear: Multiple vulnerabilities

9

     Date: March 12, 2016

10

     Bugs: #426502, #468106

11

       ID: 201603-12

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in FlightGear and SimGear

19

allowing remote attackers to cause Denial of Service and possibly

20

execute arbitrary code.

21

22

Background

23

==========

24

25

FlightGear is an open-source flight simulator.  It supports a variety

26

of popular platforms (Windows, Mac, Linux, etc.) and is developed by

27

skilled volunteers from around the world.  Source code for the entire

28

project is available and licensed under the GNU General Public License.

29

30

SimGear is a set of open-source libraries designed to be used as

31

building blocks for quickly assembling 3d simulations, games, and

32

visualization applications.

33

34

Affected packages

35

=================

36

37

    -------------------------------------------------------------------

38

     Package              /     Vulnerable     /            Unaffected

39

    -------------------------------------------------------------------

40

  1  games-simulation/flightgear

41

                                  < 3.4.0                    >= 3.4.0

42

  2  games-simulation/simgear

43

                                  < 3.4.0                    >= 3.4.0

44

    -------------------------------------------------------------------

45

     2 affected packages

46

47

Description

48

===========

49

50

Multiple format string vulnerabilities in FlightGear and SimGear allow

51

user-assisted remote attackers to cause a denial of service and

52

possibly execute arbitrary code via format string specifiers in certain

53

data chunk values in an aircraft xml model.

54

55

Impact

56

======

57

58

Remote attackers could possibly execute arbitrary code or cause Denial

59

of Service.

60

61

Workaround

62

==========

63

64

There is no known workaround at this time.

65

66

Resolution

67

==========

68

69

All Flightgear users should upgrade to the latest version:

70

71

  # emerge --sync

72

  # emerge --ask --oneshot -v ">=games-simulation/flightgear-3.4.0"

73

74

All Simgear users should upgrade to the latest version:

75

76

  # emerge --sync

77

  # emerge --ask --oneshot --verbose ">=games-simulation/simgear-3.4.0"

78

79

References

80

==========

81

82

[ 1 ] CVE-2012-2090

83

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2090

84

[ 2 ] CVE-2012-2091

85

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2091

86

87

Availability

88

============

89

90

This GLSA and any updates to it are available for viewing at

91

the Gentoo Security Website:

92

93

 https://security.gentoo.org/glsa/201603-12

94

95

Concerns?

96

=========

97

98

Security is a primary focus of Gentoo Linux and ensuring the

99

confidentiality and security of our users' machines is of utmost

100

importance to us. Any security concerns should be addressed to

101

security@g.o or alternatively, you may file a bug at

102

https://bugs.gentoo.org.

103

104

License

105

=======

106

107

Copyright 2016 Gentoo Foundation, Inc; referenced text

108

belongs to its owner(s).

109

110

The contents of this document are licensed under the

111

Creative Commons - Attribution / Share Alike license.

112

113

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201603-12
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: FlightGear, SimGear: Multiple vulnerabilities
9	Date: March 12, 2016
10	Bugs: #426502, #468106
11	ID: 201603-12
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in FlightGear and SimGear
19	allowing remote attackers to cause Denial of Service and possibly
20	execute arbitrary code.
21
22	Background
23	==========
24
25	FlightGear is an open-source flight simulator. It supports a variety
26	of popular platforms (Windows, Mac, Linux, etc.) and is developed by
27	skilled volunteers from around the world. Source code for the entire
28	project is available and licensed under the GNU General Public License.
29
30	SimGear is a set of open-source libraries designed to be used as
31	building blocks for quickly assembling 3d simulations, games, and
32	visualization applications.
33
34	Affected packages
35	=================
36
37	-------------------------------------------------------------------
38	Package / Vulnerable / Unaffected
39	-------------------------------------------------------------------
40	1 games-simulation/flightgear
41	< 3.4.0 >= 3.4.0
42	2 games-simulation/simgear
43	< 3.4.0 >= 3.4.0
44	-------------------------------------------------------------------
45	2 affected packages
46
47	Description
48	===========
49
50	Multiple format string vulnerabilities in FlightGear and SimGear allow
51	user-assisted remote attackers to cause a denial of service and
52	possibly execute arbitrary code via format string specifiers in certain
53	data chunk values in an aircraft xml model.
54
55	Impact
56	======
57
58	Remote attackers could possibly execute arbitrary code or cause Denial
59	of Service.
60
61	Workaround
62	==========
63
64	There is no known workaround at this time.
65
66	Resolution
67	==========
68
69	All Flightgear users should upgrade to the latest version:
70
71	# emerge --sync
72	# emerge --ask --oneshot -v ">=games-simulation/flightgear-3.4.0"
73
74	All Simgear users should upgrade to the latest version:
75
76	# emerge --sync
77	# emerge --ask --oneshot --verbose ">=games-simulation/simgear-3.4.0"
78
79	References
80	==========
81
82	[ 1 ] CVE-2012-2090
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2090
84	[ 2 ] CVE-2012-2091
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2091
86
87	Availability
88	============
89
90	This GLSA and any updates to it are available for viewing at
91	the Gentoo Security Website:
92
93	https://security.gentoo.org/glsa/201603-12
94
95	Concerns?
96	=========
97
98	Security is a primary focus of Gentoo Linux and ensuring the
99	confidentiality and security of our users' machines is of utmost
100	importance to us. Any security concerns should be addressed to
101	security@g.o or alternatively, you may file a bug at
102	https://bugs.gentoo.org.
103
104	License
105	=======
106
107	Copyright 2016 Gentoo Foundation, Inc; referenced text
108	belongs to its owner(s).
109
110	The contents of this document are licensed under the
111	Creative Commons - Attribution / Share Alike license.
112
113	http://creativecommons.org/licenses/by-sa/2.5