dune

There are security problems in dune-0.13.
Unfortunatly, the security problems are located in a errormessage routines,
so it is rather simple to build a exploit.
The problems have been fixed in white_dune-0.29beta796

-----------------------------------
A] buffer-overflow in Scene::errorf
-----------------------------------

A buffer-overflow vulnerability is located in the function which builds
the error messages for the problems happened during the parsing of the
WRL file.

>From Scene.cpp:

void
Scene::errorf(const char *fmt, ...)
{
va_list ap;
char buf[1024], buf2[1024];
const char *url = "";

va_start(ap, fmt);
vsprintf(buf, fmt, ap);
if (TheApp->getImportURL() != NULL)
url = TheApp->getImportURL();
mysnprintf(buf2, 1024, "%s %d: %s", url, lineno, buf);
_compileErrors += buf2;
}

------------------------------
B] format string in ImportFile
------------------------------

Another problem related to the handling of the errors.
After the building of the error message the parse() function returns
immediately and swDebugf() is called for visualizing it to stderr or to
the debugger without using the needed format argument required by the
function.

>From DuneApp.cpp:

DuneApp::ImportFile(const char *openpath, Scene* scene, bool protoLibrary,
Node *node, int field)
...
if (errors[0]) {
swMessageBox(_mainWnd, errors, "Parse Errors", SW_MB_OK,
SW_MB_WARNING);
swDebugf(errors);
...

#######################################################################