FFe: Update Flightgear to version 2.10.0

Status changed to 'Confirmed' because the bug affects multiple users.

I am on the same page: I love flightgear and would love to see it updated. Any news on the update date?

The only packager in Debian working on flightgear hasn't been active for a couple of months so the team would need reinforcements:

http://anonscm.debian.org/viewvc/pkg-fgfs/
http://qa.debian.org/developer.php?<email address hidden>
https://alioth.debian.org/projects/pkg-fgfs/ (joining here gives one the access to subversion)
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-fgfs-crew

Currently no 2.8.0 packaging seems to have been done, and the 2.6.0 has been removed from the next Debian release because an unfixed bug.

Syncs to raring universe can be made even at a relatively late time in the cycle if a newer package is packaged in Debian.

with version 2.8 the hardware rquirements have been vastly grown

Something like 1GB min graphics RAM , 4 GB RAM minimum . You can find this info in the projects wiki.

anyone wants to test it out can take a look at the mirrors of playdeb

Can you follow https://wiki.ubuntu.com/FreezeExceptionProcess to get a Feature Freeze exception for raring?

Will do.

Status changed to 'Confirmed' because the bug affects multiple users.

Subscribing ubuntu-release for feature freeze exception approval. Unsubscribing ubuntu-sponsors for now. Please re-subscribe ubuntu-sponsors if this is approved for upload.

What testing has been done on the new packages?

On Raring, none at the moment by me; I'm preparing the fgfs-base package, after which I'll do testing.

On Quantal, I can confirm it works properly and am expecting the same for Raring.

(Since I can only attach one file at a time, there will be multiple comments with files).

Attached is the Simgear build log using pbuilder raring. and the bazaar tree.

Attached is the Simgear changelog between 2.6.0 (the latest version available in the repos) and 2.10.0 (the latest version).

Testing: This is a library and so cannot be tested directly.

Attached is the Flightgear build log using pbuilder raring and the deb files for Simgear generated by pbuilder.

Attached is the Flightgear changelog between 2.6.0 (the latest version available on the repos) and 2.10.0 (the latest version).

Testing: To be done once fgfs-base is finished and built (ETA for completion of testing is about 24 hours).

Major new features are at:
2.8.0: http://wiki.flightgear.org/Changelog_2.8.0
2.10.0: http://wiki.flightgear.org/Changelog_2.10.0

Bug fixes are:
2.8.0: http://code.google.com/p/flightgear-bugs/issues/list?can=1&q=Milestone%3D2.8.0
2.10.0: http://code.google.com/p/flightgear-bugs/issues/list?can=1&q=Milestone%3D2.10.0

New fgfs-base build log attached, where XZ-compressed debs were produced.

Installation of dependencies for simgear.

Installation of dependencies for simgear-dev

Installation of simgear.

Installation of simgear-dev

Installation of fgfs-base.

Installation of fgfs-aircraft-base

Installation of fgfs-models-base.

Installation of fgfs-scenery-base.

Installation of dependencies for flightgear.

Installation of flightgear.

This and the other dependencies were installed on a freshly-installed Raring build as of March 25 (I couldn't install on a live CD due to size requirements). After Raring was installed, I enabled the raring-proposed update source and ran "sudo apt-get update" and "sudo apt-get upgrade". The debian files and their dependencies were installed using the Ubuntu Software Center.

I forgot to mention that Raring was installed in a VM, which will result in a lower performance when running flightgear.

I have tested flightgear and for the most part, it works. Because I am using an Intel GPU, the only changes I had to make to the default settings was to disable shaders and to disable texture compression. Those using other GPUs will probably not have to do this.

I'm attaching some pictures of FlightGear 2.10.0.

Looking at the simgear package alone:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=simgear

It has open CVE and FTBFS bugs. Has those been addressed?

Why upload into Ubuntu? Wouldn't you want this in Debian? I can sponsor these uploads into Debian, but you'd need to contact debian-devel and the existing team maintainance and ping them if they are ok to upgrade these set of packages. The packaging looks good so far, but I also did not do a thoughtful review yet.

FFe approved. Going through Debian would be great.

I've downloaded the patches for the two CVEs, and it doesn't look like they've been addressed upstream. I've added and pushed the branch with the patches. Does ubuntu-release need to review the package again?

I was able to build from source for i386 and amd64 for Flightgear 2.8.0 and 2.10.0, and FlightGear 2.10.0 is available from my Flightgear PPA. I'll check to see if it compiles of armhf or if it needs the patch.

I had contacted the FlightGear team from Alioth and requested to join, but didn't get any reply. I'll send another email to see if he'll respond.

No additional release team review is needed.

That was a quick failure.

libopenscenegraph doesn't seem to be available in Raring armhf, so (as far as I know) FlightGear can only be built for i386 and amd64 in Ubuntu.

Please keep building for arch:any. The armhf FTBFS is related to us using GLES by default on arm, instead of GL as far as I can tell. And you should manage to build on powerpc as well.

I didn't change the arch field for any package, so it should still be sent for all enabled archs.

Since Raring is in a pre-release freeze, will this get merged after the Beta is released, or will it not be able to go into Raring?

Also, is it too late to get another FFe for a FlightGear-related package?

Since it's not seeded in a default install, it can definitely still go in.

Are you coordinating this with Debian? It might be good to follow up on the debian bug report with the changes you made to the packages. The renaming of the binary package for example would be good to have in Debian too, so we're in-line.

I tried to send another request to join on their Alioth Debian packaging page (https://alioth.debian.org/projects/pkg-fgfs/), but was told by the system that I had already sent one and the moderator had to approve/deny that request first. I sent the first request on March 11.

I don't suppose there's another way?

Find a team admin on IRC and ask them to review your request. You can also submit patches in bug reports.

Diff for simgear generated using the merge proposal in Launchpad

Diff for flightgear generated using the merge proposal in Launchpad

(unsubscribing sponsors, we don't need both the merge request and the bug in the sponsoring queue)

apt-get install flightgear
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 flightgear : Depends: libudev0 (>= 147) but it is not installable
E: Unable to correct problems, you have held broken packages.

apt-get install libudev0
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package libudev0 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'libudev0' has no installation candidate

lsb_release -rd
Description: Ubuntu 13.04
Release: 13.04

apt-cache policy flightgear
flightgear:
  Installed: (none)
  Candidate: 2.10.0-1ppa3~raring1
  Version table:
     2.10.0-1ppa3~raring1 0
        500 http://ppa.launchpad.net/saiarcot895/flightgear/ubuntu/ raring/main i386 Packages
     2.6.0-1build1 0
        500 http://si.archive.ubuntu.com/ubuntu/ raring/universe i386 Packages
        100 /var/lib/dpkg/status

I realized that this morning, when I upgraded to Raring. A fix should be out soon.

I pinged Ove via Google+ about the Alioth team applying, for what it's worth. The simgear, fgfs-base and flightgear source packagings seem to be in SVN in Debian (easiest link to all of those package pages is http://qa.debian.org/developer.php?<email address hidden>)

Thanks, Timo.

I've deleted the merge proposals and my branches, since it's no longer valid for an FFe in Raring. More than likely, flightgear and its related packages will be updated through Debian and will be available in the next Debian release and Ubuntu t-series (I don't think it's going to make it in time for Saucy).

As the bug reporter and also not only for me, but also for all other flightgear (Ubuntu) users I appreaciate any effort you can make here.

This year there will be a new release.

Maybe it would be possible to make a ppa for raring and saucy.

I have one for Raring, and might add in Saucy later.

https://launchpad.net/~saiarcot895/+archive/flightgear

Thanks Saikrishna for your efforts. I guess you can continue doing NMUs according to Debian policies, as there is no response from the maintainer. I also tried joining the pkg-fgfs out of general interest in helping. At some point it might be beneficial to contact admins to check if we could be manually added to the group in order to make the group repositories et cetera usable.

The MIA team knows that the maintainer is MIA, and notified me that in the long term, I could be made the maintainer, but until then, I can only do NMUs. According to the MIA schedule (http://wiki.debian.org/qa.debian.org/MIATeam), that may take about 2 1/2 months. Also, they would rather not have new versions NMU'ed, but only severe bug fixes allowed. Apparently, there are two CVEs against Flightgear, for which patches were available, which they allowed me to do an NMU upload.

There are new 2.10 uploads in Debian experimental for simgear (still in NEW queue) and flightgear. I've fired up builds directly from git to a PPA for saucy: https://launchpad.net/~timo-jyrinki/+archive/flightgear

Looks good build-wise, although amd64 not yet built so I haven't been able to run it. If they're fine, I don't see why they couldn't be synced from Debian experimental at some point (or unstable, if they'll be uploaded there soon).

http://anonscm.debian.org/gitweb/?p=collab-maint/simgear.git + http://anonscm.debian.org/gitweb/?p=collab-maint/flightgear.git

This bug was fixed in the package simgear - 2.10.0-1

---------------
simgear (2.10.0-1) experimental; urgency=low

  * New upstream release. (Closes: #718380, #701357)
  * Rename to prepend 'lib' and split into separate core and scene
    packages, so that the SONAME matches the package name.
  * Drop patch nasal-endian.patch, it got applied upstream.
  * Cleanup build dependencies: remove obsolete ORed deps:
    xlibmesa-gl-dev, xlibmesa-glu-dev, libglu1-xorg-dev.
  * Update Standards-Version to 3.9.4, no changes.
  * Use dpkg-buildflags for proper hardening, pass the flags via
    CMAKE_FLAGS.
  * Use build type RelWithDebInfo and verbose makefile generation.
  * Add patch osg-compat.diff for compatibility with OSG 3.1.8 and newer.
  * Compile against the system's expat library. Closes: #560937.
  * control: let VCS point to new git repo in collab-maint
  * Bump compat level to 8.
  * rules: rewrite to use dh7, simplify a lot, drop the static libraries
    from the -dev package.
  * Add myself as an uploader.
  * Add patch gcc-macro-correction.diff for compatibility with boost1.53.

 -- Markus Wanner <email address hidden> Wed, 28 Aug 2013 09:26:38 +0200

This bug was fixed in the package flightgear - 2.10.0-1

---------------
flightgear (2.10.0-1) experimental; urgency=low

  * New upstream release 2.10.0. (Closes: #718379, #673314).
  * Adjust dependencies to match new version.
  * Adjust simgear-dev being renamed to libsimgear-dev.
  * Drop obsolete ORed build dependencies: xlibmesa-gl-dev,
    xlibmesa-glu-dev, xlibglu1-xorg-dev
  * Refresh terrasync.patch.
  * Drop the browser patch, it doesn't apply anymore (TODO: check if it's
    still necessary).
  * Further simplification of rules:
    - leave parsing of DEB_BUILD_OPTIONS to debhelper
    - merge {C,CXX}FLAGS into CMAKE_FLAGS
    - pass BUILD_TYPE = RelWithDebInfo
    - add LDFLAGS as CMAKE_SHARED_LINKER_FLAGS
    - make sure CXX_FLAGS_RELWITHDEBINFO doesn't override the optimization
      level given by dpkg-buildflags via CXXFLAGS
    - turn on verbose Makefile
  * Adapt to renamed data packages. Add all data packages as
    dependencies. Anything less doesn't seem to be supported upstream.
  * Direct the Vcs-Browser to gitweb, rather than raw git http.
  * Add myself as an uploader.

 -- Markus Wanner <email address hidden> Wed, 28 Aug 2013 09:35:49 +0200

flightgear (2.6.0-2) UNRELEASED; urgency=low

  * Team upload.
  * Bumped D-S-V to 3.9.4
  * debian/control VCS point to new git repo in collab-maint
  * Lintian cleaning
    - debian/control: build-depends-on-1-revision, simgear-dev
    - debian/menu: unquoted-string-in-menu-item
    - package-contains-readme-for-other-platform-or-distro
      rm usr/share/doc/flightgear/README.Cygwin
      rm usr/share/doc/flightgear/README.IRIX
      rm usr/share/doc/flightgear/README.MacOS
    - debian/rules: added hardening flags
    - debian/flightgear.desktop: remove depricated Encoding field
  * Thorough review and edit of debian/copyright
    - added copywrite_check to debian/rules to easy maintenance
    - DEP-5 style copyright
  * added get-orig-source target to debian/rules
  * use ${source:Version} substr in debian/control instead of explicitly
    naming the version

 -- Scott Howard <email address hidden> Sun, 06 Jan 2013 21:43:23 -0500

Thanks a lot Jeremy for syncing those and also the flightgear-data!

I also tested my PPA builds and they simply seem to work.

As status update, Jeremy's simgear and flightgear updates already went to saucy, flightgear-data is now in NEW queue https://launchpad.net/ubuntu/saucy/+queue?queue_state=0&queue_text=

Hold off. I'll look at this in Debian New so it doesn't have to be reviewed twice.

Ack. Approved. It's out of New in Debian, so please sync it once it's available.

This bug was fixed in the package flightgear-data - 2.10.0-1
Sponsored for Thomas Hotz (thotz)

---------------
flightgear-data (2.10.0-1) experimental; urgency=low

  * New upstream release. (Closes: #714260).
  * Rename data source and binary packages for clarity - now including
    'flightgear' rather than 'fgfs'.
  * Move all scenery data into the base data package, make it sufficient
    to run a stripped down variant of Flight Gear.
  * Drop browser patch - no browser settings in preferences.xml, anymore.
  * Add a separate 'set -e' in postinst and prerm.
  * Bump Standards-Version to 3.9.4.
  * Revamp rules to use debhpler 7, bump compat and debhelper dependency.
  * Drop the copy of the liberation font, depend on ttf-liberation and
    symlink it instead (from postinst and prerm).
  * Update copyright file. Now in DEP-5 style.
  * Drop Windows executable files and empty directories.
  * Adjust description of flightgear-data-base (former fgfs-base).
    Consistently use FlightGear (w/o space) in the descriptions.
  * Add a virtual flightgear-data-all package.
  * Add debian/docs.
  * control: let VCS point to new git repo in collab-maint
  * Add myself as an uploader.

 -- Markus Wanner <email address hidden> Wed, 28 Aug 2013 09:37:02 +0200

fgfs-base (2.6.0-1) unstable; urgency=low

  * New upstream release.
  * Updated debian/watch, the mirror is now ibiblio.org.
  * Changed postinst to (hopefully) not fail migration if the
    source directory is empty. Closes: #671268.

 -- Ove Kaaven <email address hidden> Mon, 16 Jul 2012 04:40:55 +0200

fgfs-base (2.4.0-1) unstable; urgency=low

  * New upstream release.
  * Changed source package format to "3.0 (quilt)".
  * Split scenery into a separate fgfs-scenery-base package.
  * Use Breaks instead of Conflicts to keep the flightgear version
    in sync.

 -- Ove Kaaven <email address hidden> Sat, 03 Sep 2011 21:26:40 +0200

fgfs-base (2.0.0-1) unstable; urgency=low

  * New upstream release.
  * Made the pkg-fgfs-crew mailing list the official maintainer of the
    fgfs-base package, and myself a mere uploader.
  * Split aircraft models into a separate fgfs-aircraft-base package,
    and object models into a separate fgfs-models-base package.
    This reduces the size of the fgfs-base package, and facilitates
    aircraft and scenery updates between FlightGear releases.
    Closes: #534839.

 -- Ove Kaaven <email address hidden> Sat, 01 Jan 2011 00:58:32 +0100

fgfs-base (1.9.0-1) unstable; urgency=low

  * New upstream release.
  * Added Vcs-Browser and Vcs-Svn fields to debian/control.
  * Converted debian/watch to version 3. Closes: #529107.

 -- Ove Kaaven <email address hidden> Mon, 15 Jun 2009 01:44:31 +0200

fgfs-base (1.0.0-2) unstable; urgency=low

  * Add Homepage field.
  * Upgrade Standards-Version from 3.5.5 to 3.7.3.
  * Moved the debhelper build-dependency from Build-Depends-Indep
    to Build-Depends, as required by new Standards-Version.
  * Use debian/compat file instead of setting DH_COMPAT in debian/rules.
    Upgraded DH compatibility level to 5.
  * Do not install upstream's Timezone directory.
  * Install link to /usr/share/zoneinfo in postinst (and remove it in
    prerm) in...

Did you apply the security patches (Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669025 ), and if not is there a reason you can't? Both Ubuntu's and Debian's 2.10 source look unpatched.

You are correct. I'm fixing the Ubuntu package and I reopened the bug in Debian.

There's another CVE for simgear (6699025 was for the one in flightgear): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669024. There aren't any patches attached to the bug report, but I made my own patches in an attempt to address the CVE, which I attached here.

CVE-2012-2091 attached here.

Saikrishna, I don't believe that patch is complete:

+++ simgear/simgear/io/sg_socket_udp.cxx 2013-08-04 22:21:16.174132010 -0500
@@ -104,8 +104,9 @@
     }

     int result;
+ int size = length < SG_IO_MAX_MSG_SIZE ? length : SG_IO_MAX_MSG_SIZE;

- if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) {
+ if ( (result = sock.recv(buf, size, 0)) >= 0 ) {
  buf[result] = '\0';
  // printf("msg received = %s\n", buf);
     }

And here's the corresponding prototypes:
int SGSocketUDP::read( char *buf, int length ) {
ssize_t recv(int sockfd, void *buf, size_t len, int flags);

'length' could be negative, thus 'size' could be negative. When the signed size is
passed to recv(), it may become a very large positive integer, think above two billion,
and thus allow recv() to overwrite the buf buffer.

There needs to be a similar check to ensure that length is non-negative.

Thanks

I should have mentioned that the patches were to the best of my ability and might not address all problems.

Here's an updated patch that sets length to 0 if length is negative. This should cause nothing to be read from the socket, right?

The original report doesn't say so but it looks like SGSocketUDP::readline is vulnerable as well: the attached fixes both.

(I kept the negative-length check but consider it mostly pointless: if you can't assume length is the correct length of buf, it's impossible to prevent an overflow.)

Also a fix for upstream bug 1117 ( http://code.google.com/p/flightgear-bugs/issues/detail?id=1117&q=2090&colspec=ID%20Type%20Status%20Priority%20Summary%20Aircraft%20Milestone ), another format string security bug.

Note that neither of these fixes have been tested.

Sorry, stray bracket.

Rebecca's patches look good to me, too. Thanks!

I've uploaded an update for simgear with them as well. Sent the patch to Debian. Thanks.

Sorry...my previous patch had an off-by-one error. Corrected patch attached.

OK. Uploaded the updated version.

Thanks.

It appears that my "fixes both", which I meant as "2091 for both read() and readline()", has been misinterpreted as "both 2090 and 2091", with the result that Saikrishna's simgear 2090 patch was not applied; my flightgear patch for upstream issue 1117 wasn't applied either.

I.e. there should be three security patches on flightgear (Debian's old ones for 2090 and 2091, and my 1117), and two on simgear (Saikrishna's 2090, and the later version of my 2091).

Given that Debian are now in the process of applying these (though note that their current simgear has the old off-by-one version of my 2091 patch), it might make most sense to wait for and import their fixed packages, rather than pointlessly splitting the source package.

OK. Please ping the bug when then are ready and I'll sync from Debian.

The fixed packages in Debian are flightgear 2.10.0-2 and simgear 2.10.0-3, both currently in the build queue.

On Sunday, September 08, 2013 17:42:33 you wrote:
> The fixed packages in Debian are flightgear 2.10.0-2 and simgear
> 2.10.0-3, both currently in the build queue.

Both sync'ed. Thanks for working through this and sticking with it.

Scott K