Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: jessie Severity: normal
Dear Release Team, as per Salvatore Bonaccorso, the current security fix for flightgear doesn't warrant a DSA on its own (see below). Is it okay to upload to 'stable'? A debdiff against the current version in stable-sec (3.0.0-5+deb8u1) is attached. Please note that stable itself is still at 3.0.0-5 and doesn't offer the first (and related) security fix. Kind Regards Markus Wanner On 05/17/2017 08:57 AM, Salvatore Bonaccorso wrote: > Hi, > > On Wed, May 17, 2017 at 08:49:19AM +0200, Moritz Muehlenhoff wrote: >> On Wed, May 17, 2017 at 07:20:15AM +0200, Salvatore Bonaccorso wrote: >>> Hi Markus, >>> >>> On Fri, May 12, 2017 at 07:57:23PM +0200, Markus Wanner wrote: >>>> Florent, >>>> >>>> On 05/12/2017 07:33 PM, Florent Rougon wrote: >>>>> We'd like to draw your attention on the following fix for FlightGear: >>>> >>>> thanks for your heads-up, I'll take care of preparing an upload for the >>>> affected Debian packages. >>> >>> Thanks. Filled as well #862689 in the BTS in meanwhile. >>> >>> For stable: We think this does need a DSA on its own, can you schedule >> ^ not >> >> :-) > > Autsch, yes of course ... sorry for confusion caused (hope this still > was clear from context :)). > > Regards, > Salvatore
diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog 2016-12-14 09:43:00.000000000 +0000
+++ flightgear-3.0.0/debian/changelog 2017-05-17 10:46:18.000000000 +0000
@@ -1,3 +1,11 @@
+flightgear (3.0.0-5+deb8u2) stable; urgency=high
+
+ * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
+ overriding arbitrary files from the "save-flightplan" FGCommand.
+ Closes: #862689 (CVE-2017-8921).
+
+ -- Markus Wanner <mar...@bluegap.ch> Tue, 16 May 2017 21:37:27 +0200
+
flightgear (3.0.0-5+deb8u1) jessie-security; urgency=high
* Add patch route-manager-secu-fix-280cd5.patch (security fix preventing
diff -Nru
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch
---
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch
1970-01-01 00:00:00.000000000 +0000
+++
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch
2017-05-17 09:16:50.000000000 +0000
@@ -0,0 +1,36 @@
+Description: Security fix: don't allow overwriting arbitrary files
+ the previous fix 280cd523 missed commandSaveFlightPlan
+ .
+ backported from faf872e7, fixes CVE-2017-8921.
+Author: Rebecca N. Palmer <rebecca_pal...@zoho.com>
+ Florent Rougon <f.rou...@free.fr>
+Origin: upstream,
https://sourceforge.net/p/flightgear/flightgear/ci/c8250b10bb9a116889f831d2299678b0ef70fec2/
+
+--- a/src/Autopilot/route_mgr.cxx
++++ b/src/Autopilot/route_mgr.cxx
+@@ -75,7 +75,24 @@
+ {
+ FGRouteMgr* self = (FGRouteMgr*) globals->get_subsystem("route-manager");
+ SGPath path(arg->getStringValue("path"));
+- return self->saveRoute(path);
++ const std::string authorizedPath = fgValidatePath(path.realpath(),
++ true /* write */);
++
++ if (!authorizedPath.empty()) {
++ return self->saveRoute(SGPath(authorizedPath));
++ } else {
++ const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++ std::string msg =
++ "The route manager was asked to write the flightplan to '" +
++ path.str() + "', but this path is not authorized for writing. " +
++ "Please choose another location, for instance in the $FG_HOME/Export "
++ "folder (" + proposedPath.str() + ").";
++
++ SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++ modalMessageBox("FlightGear", "Unable to write to the specified file",
++ msg);
++ return false;
++ }
+ }
+
+ static bool commandActivateFlightPlan(const SGPropertyNode* arg)
diff -Nru flightgear-3.0.0/debian/patches/series
flightgear-3.0.0/debian/patches/series
--- flightgear-3.0.0/debian/patches/series 2016-12-14 09:13:44.000000000
+0000
+++ flightgear-3.0.0/debian/patches/series 2017-05-16 20:18:39.000000000
+0000
@@ -5,3 +5,4 @@
6a30e7.patch
route-manager-secu-fix-280cd5.patch
fix-missing-lX11-in-link-commands.patch
+restrict-save-flightplan-secu-fix-faf872.patch
signature.asc
Description: OpenPGP digital signature
