Re: Flightgear remote format string

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/30/2013 10:11 AM, Andrés Gómez Ramírez wrote:
> Hi,
>
> Introduction:
>
> FlightGear is an open-source flight simulator.  It supports a
> variety of popular platforms (Windows, Mac, Linux, etc.) and is
> developed by skilled volunteers from around the world.  Source code
> for the entire project is available and licensed under the GNU
> General Public License.
>
> Bug:
>
> Flightgear allows remote control through Property tree.  It is
> vulnerable to remote format string vulnerability when some special
> parameters related with clouds are changed.  This could allow to
> crash the application or potentially execute arbitrary code under
> certain conditions.
>
> Fix:
>
> No fix.
>
> References:
>
> http://kuronosec.blogspot.com/2013/04/flightgear-remote-format-string.html

What
>
is the default setting for flight tree? does it listen t the
network public interface, localhost, is it disabled by default, or?
Thanks.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRf/HBAAoJEBYNRVNeJnmT2esP/3B/cfmFPdzhv9Zv7jpRSPTN
bW5ZvtrgEsWo5wmDewelvAnoaeOg1V/n5vb7rk1/j7AG02NhuNpdHIID6t7sr0lE
glNhOUM/b0GmtEPsHUBAHTODsRXUt4vFO1QXfOTHF3tgkY2JYx1zTiBI3jdIioV6
icpaaL2TluIBem/YbYvzxYAnnhdAKmZdu5+OKPuiQ0vguNoOZgOUAEte39ZrzBv0
xSf6lfDGOmO/5n/gOTZ0o6hbJMKTcmGPVze4i3choGfjo+cH7LpWSjHP4zAe5amJ
iByH3BLKe0DQSGnhhEx/Rz6vL/kjqKuRHQ+Qj09SQiMKMGSyBnKp6VUzI7cbknyE
XBU/Z4onTQNMjadyXTWRTs2aOvsI3jo6um2vbWq7PBAglBsoUdzM+ocTeUd5uhgf
Q0a9rlUkq2/iRMtqwfh+cSnXOWk6YB83l2oDMVllHRlW5NfPXSdbTCHNLttep5sS
C5PFyXmc6SeUPDbz00hwjBV6qqAAoLvBgsJdMGbidT1PIh5rCbbVetmcIsrBjpuI
NqKU7YH0yz0iSHWN7TS6yEho6nyXFZNAMX2HE+I07RDNFnYDAZB2+UeDfvqdNIkL
xoR2/4QaRxoDDz/DclJ64ZGk7ttPLCztJIVd0XXe9qHQyKjzQEqvCERh2Wtsta4G
PsHQq+gYKaGmfVWkfq0Q
=BfNa
-----END PGP SIGNATURE-----