Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Apr 2013 10:30:57 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Andrés Gómez Ramírez
 <andresgomezram7@...il.com>,
        bugtraq@...urityfocus.com
Subject: Re: Flightgear remote format string

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/30/2013 10:11 AM, Andrés Gómez Ramírez wrote:
> Hi,
> 
> Introduction:
> 
> FlightGear is an open-source flight simulator.  It supports a
> variety of popular platforms (Windows, Mac, Linux, etc.) and is
> developed by skilled volunteers from around the world.  Source code
> for the entire project is available and licensed under the GNU
> General Public License.
> 
> Bug:
> 
> Flightgear allows remote control through Property tree.  It is
> vulnerable to remote format string vulnerability when some special
> parameters related with clouds are changed.  This could allow to
> crash the application or potentially execute arbitrary code under
> certain conditions.
> 
> Fix:
> 
> No fix.
> 
> References:
> 
> http://kuronosec.blogspot.com/2013/04/flightgear-remote-format-string.html

What
> 
is the default setting for flight tree? does it listen t the
network public interface, localhost, is it disabled by default, or?
Thanks.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRf/HBAAoJEBYNRVNeJnmT2esP/3B/cfmFPdzhv9Zv7jpRSPTN
bW5ZvtrgEsWo5wmDewelvAnoaeOg1V/n5vb7rk1/j7AG02NhuNpdHIID6t7sr0lE
glNhOUM/b0GmtEPsHUBAHTODsRXUt4vFO1QXfOTHF3tgkY2JYx1zTiBI3jdIioV6
icpaaL2TluIBem/YbYvzxYAnnhdAKmZdu5+OKPuiQ0vguNoOZgOUAEte39ZrzBv0
xSf6lfDGOmO/5n/gOTZ0o6hbJMKTcmGPVze4i3choGfjo+cH7LpWSjHP4zAe5amJ
iByH3BLKe0DQSGnhhEx/Rz6vL/kjqKuRHQ+Qj09SQiMKMGSyBnKp6VUzI7cbknyE
XBU/Z4onTQNMjadyXTWRTs2aOvsI3jo6um2vbWq7PBAglBsoUdzM+ocTeUd5uhgf
Q0a9rlUkq2/iRMtqwfh+cSnXOWk6YB83l2oDMVllHRlW5NfPXSdbTCHNLttep5sS
C5PFyXmc6SeUPDbz00hwjBV6qqAAoLvBgsJdMGbidT1PIh5rCbbVetmcIsrBjpuI
NqKU7YH0yz0iSHWN7TS6yEho6nyXFZNAMX2HE+I07RDNFnYDAZB2+UeDfvqdNIkL
xoR2/4QaRxoDDz/DclJ64ZGk7ttPLCztJIVd0XXe9qHQyKjzQEqvCERh2Wtsta4G
PsHQq+gYKaGmfVWkfq0Q
=BfNa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.