Bug#1094352: marked as done (bookworm-pu: package simgear/1:2020.3.16+dfsg-1+deb12u1)

Sat, 15 Mar 2025 10:01:29 -0700 

Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <e1tto4s-005kni...@coccia.debian.org>
and subject line Close 1094352
has caused the Debian Bug report #1094352,
regarding bookworm-pu: package simgear/1:2020.3.16+dfsg-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1094352: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094352
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: simg...@packages.debian.org, to...@debian.org
Control: affects -1 + src:simgear
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,
I've received a notification from the flightgear upstream maintainers that they've discovered and fixed a security issue. I've applied the proposed fix and already uploaded the package to unstable.
The security team suggested that a stable update might be good, as the bug doesn't seem to need a DSA.
Please note that there's currently no CVE assigned (still in progress), and there's also not a Debian bug in the BTS. However, the issue is tracked in our security tracker: 

https://security-tracker.debian.org/tracker/TEMP-0000000-5E50D9
Please find the patch attached which I'd like to upload for the next stable point release.
If you accept this upload, the package "flightgear" needs an upload as well. I'll file a bug about that shortly after this one. 

Regards,
Tobias
diff -Nru simgear-2020.3.16+dfsg/debian/changelog simgear-2020.3.16+dfsg/debian/changelog
--- simgear-2020.3.16+dfsg/debian/changelog	2022-10-26 10:53:00.000000000 +0200
+++ simgear-2020.3.16+dfsg/debian/changelog	2025-01-27 12:58:26.000000000 +0100
@@ -1,3 +1,11 @@
+simgear (1:2020.3.16+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * New patch: check I/O rules when auto-constructing an SGPath from a Nasal scalar.
+    Thanks to Florent Rougon <f.rou...@frougon.net>
+
+ -- Dr. Tobias Quathamer <to...@debian.org>  Mon, 27 Jan 2025 12:58:26 +0100
+
 simgear (1:2020.3.16+dfsg-1) unstable; urgency=medium
 
   * New upstream version 2020.3.16+dfsg
diff -Nru simgear-2020.3.16+dfsg/debian/patches/cppbind-check-I-O-rules-when-auto-constructing-an-SG.patch simgear-2020.3.16+dfsg/debian/patches/cppbind-check-I-O-rules-when-auto-constructing-an-SG.patch
--- simgear-2020.3.16+dfsg/debian/patches/cppbind-check-I-O-rules-when-auto-constructing-an-SG.patch	1970-01-01 01:00:00.000000000 +0100
+++ simgear-2020.3.16+dfsg/debian/patches/cppbind-check-I-O-rules-when-auto-constructing-an-SG.patch	2025-01-27 12:44:59.000000000 +0100
@@ -0,0 +1,80 @@
+From: Florent Rougon <f.rou...@frougon.net>
+Date: Tue, 21 Jan 2025 00:16:43 +0100
+Subject: cppbind: check I/O rules when auto-constructing an SGPath from a
+ Nasal scalar
+
+- Add static member function SGPath::NasalIORulesChecker as a
+  PermissionChecker (this is essentially checkIORules() moved from the
+  flightgear repository).
+
+- Use it in the from_nasal_helper() that creates an SGPath instance from
+  a Nasal scalar.
+---
+ simgear/misc/sg_path.cxx                           | 20 ++++++++++++++++++++
+ simgear/misc/sg_path.hxx                           |  7 +++++++
+ simgear/nasal/cppbind/detail/from_nasal_helper.cxx |  3 ++-
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/simgear/misc/sg_path.cxx b/simgear/misc/sg_path.cxx
+index f0706cd..5709256 100644
+--- a/simgear/misc/sg_path.cxx
++++ b/simgear/misc/sg_path.cxx
+@@ -288,6 +288,26 @@ void SGPath::set_cached(bool cached)
+ // *                    Access permissions for Nasal code                    *
+ // ***************************************************************************
+ 
++// Static member function
++SGPath::Permissions SGPath::NasalIORulesChecker(const SGPath& path)
++{
++    Permissions perm;
++
++    if (!path.isAbsolute()) {
++        // SGPath caches permissions, which breaks for relative paths if the
++        // current directory changes.
++        SG_LOG(SG_NASAL, SG_ALERT,
++               "SGPath::NasalIORulesChecker(): file operation on '" <<
++               path.utf8Str() << "': access denied (relative paths not "
++               "accepted; use realpath() to obtain an absolute path)");
++    }
++
++    perm.read  = path.isAbsolute() && !path.validate(false).isNull();
++    perm.write = path.isAbsolute() && !path.validate(true).isNull();
++
++    return perm;
++}
++
+ // Static member function
+ void SGPath::clearListOfAllowedPaths(bool write)
+ {
+diff --git a/simgear/misc/sg_path.hxx b/simgear/misc/sg_path.hxx
+index 84194b6..f98c004 100644
+--- a/simgear/misc/sg_path.hxx
++++ b/simgear/misc/sg_path.hxx
+@@ -137,6 +137,13 @@ public:
+      */
+     SGPath validate(bool write) const;
+ 
++    /**
++     * Normal PermissionChecker for SGPath instances created from Nasal.
++     * @param path an SGPath instance
++     * @return read and write permissions conforming to validate()
++     */
++    static Permissions NasalIORulesChecker(const SGPath& path);
++
+     /**
+      * Append another piece to the existing path.  Inserts a path
+      * separator between the existing component and the new component.
+diff --git a/simgear/nasal/cppbind/detail/from_nasal_helper.cxx b/simgear/nasal/cppbind/detail/from_nasal_helper.cxx
+index 160d69b..e404877 100644
+--- a/simgear/nasal/cppbind/detail/from_nasal_helper.cxx
++++ b/simgear/nasal/cppbind/detail/from_nasal_helper.cxx
+@@ -61,7 +61,8 @@ namespace nasal
+   SGPath from_nasal_helper(naContext c, naRef ref, const SGPath*)
+   {
+       naRef na_str = naStringValue(c, ref);
+-      return SGPath(std::string(naStr_data(na_str), naStr_len(na_str)));
++      return SGPath(std::string(naStr_data(na_str), naStr_len(na_str)),
++                    &SGPath::NasalIORulesChecker);
+   }
+ 
+   //----------------------------------------------------------------------------
diff -Nru simgear-2020.3.16+dfsg/debian/patches/series simgear-2020.3.16+dfsg/debian/patches/series
--- simgear-2020.3.16+dfsg/debian/patches/series	2022-10-24 13:25:38.000000000 +0200
+++ simgear-2020.3.16+dfsg/debian/patches/series	2025-01-27 12:43:31.000000000 +0100
@@ -5,3 +5,4 @@
 disable_network_tests.patch
 spelling_fixes.patch
 fix-ftbfs-on-armel-armhf.patch
+cppbind-check-I-O-rules-when-auto-constructing-an-SG.patch

--- End Message ---
--- Begin Message --- 
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---

Reply via email to