Bug#780716: flightgear-data: nasal scripts can ready any file

Markus Wanner Wed, 18 Mar 2015 02:45:54 -0700

Package: flightgear-data
Version: 3.0.0-1
Severity: grave
Tags: security

Upstream has reported two related security issues in how FlightGear
restricts what files Nasal (its built-in scripting language for
aircraft) can access.


This bug is tracking the portion related to the flightgear-data package.

-The allowed directories for reading include FG_SCENERY, which can be
changed from Nasal via /sim/terrasync/scenery-dir.
Effect: Can read any file as the user.
Fix: fgdata 60da2094252cee1a5cdfe737f29becd5c6800549

Regards

Markus Wanner

signature.asc
Description: OpenPGP digital signature

Bug#780716: flightgear-data: nasal scripts can ready any file

Reply via email to