Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: jessie Severity: normal
Dear Release Team, yet another security fix for flightgear, that's not worth a DSA according to Salvatore Bonaccorso. A bit about the security issue: Malicious add-ons could write arbitrary user's files, possibly even executable ones. The fix is in two parts, back-ported to older releases by Florent Rougon. Please verify the attached debdiff for fixing the issue in stretch with the next point release. Kind Regards Markus Wanner
diff -Nru flightgear-2016.4.4+dfsg/debian/changelog flightgear-2016.4.4+dfsg/debian/changelog --- flightgear-2016.4.4+dfsg/debian/changelog 2017-05-19 19:10:15.000000000 +0000 +++ flightgear-2016.4.4+dfsg/debian/changelog 2017-08-30 16:06:14.000000000 +0000 @@ -1,3 +1,12 @@ +flightgear (1:2016.4.4+dfsg-3+deb9u1) stable; urgency=medium + + * Add patches init-allowed-paths-earlier-secu-fix-f372d7.patch and + prevent-arbitrary-file-writes-secu-fix-58d8e1.patch: prevent + malicious add-ons from overriding arbitrary files. + Closes: #873439 (CVE-2017-13709) + + -- Markus Wanner <mar...@bluegap.ch> Wed, 30 Aug 2017 18:06:14 +0200 + flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium * Team upload. diff -Nru flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch --- flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch 1970-01-01 00:00:00.000000000 +0000 +++ flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch 2017-08-30 07:03:19.000000000 +0000 @@ -0,0 +1,62 @@ +Description: Call fgInitAllowedPaths earlier: after Options::processOptions + Call fgInitAllowedPaths() right after Options::processOptions() (which, + among other things, determines $FG_ROOT and processes + --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much + more code, such as when initializing subsystems. + . + (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75) + . + In preparation for the real security fix following this commit. +Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/f372d7548ad7114aed14135dcc566ea326c24beb/ +Author: Florent Rougon + +diff --git a/src/Main/fg_init.cxx b/src/Main/fg_init.cxx +index ea9d9b5ef..47987a363 100644 +--- a/src/Main/fg_init.cxx ++++ b/src/Main/fg_init.cxx +@@ -1070,7 +1070,12 @@ void fgStartNewReset() + fgInitGeneral(); // all of this? + + flightgear::Options::sharedInstance()->processOptions(); +- ++ ++ // Rebuild the lists of allowed paths for cases where a path comes from an ++ // untrusted source, such as the global property tree (this uses $FG_HOME ++ // and other paths set by Options::processOptions()). ++ fgInitAllowedPaths(); ++ + // PRESERVED properties over-write state from options, intentionally + if ( copyProperties(preserved, globals->get_props()) ) { + SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully" ); +diff --git a/src/Main/main.cxx b/src/Main/main.cxx +index bed7e2954..fd2fb575c 100644 +--- a/src/Main/main.cxx ++++ b/src/Main/main.cxx +@@ -515,7 +515,12 @@ int fgMainInit( int argc, char **argv ) + } else if (configResult == flightgear::FG_OPTIONS_EXIT) { + return EXIT_SUCCESS; + } +- ++ ++ // Set the lists of allowed paths for cases where a path comes from an ++ // untrusted source, such as the global property tree (this uses $FG_HOME ++ // and other paths set by Options::processOptions()). ++ fgInitAllowedPaths(); ++ + // Initialize the Window/Graphics environment. + fgOSInit(&argc, argv); + _bootstrap_OSInit++; +diff --git a/src/Scripting/NasalSys.cxx b/src/Scripting/NasalSys.cxx +index 1002b08dc..6c6fa1b48 100644 +--- a/src/Scripting/NasalSys.cxx ++++ b/src/Scripting/NasalSys.cxx +@@ -886,9 +886,6 @@ void FGNasalSys::init() + .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot) + .member("isRunning", &TimerObj::isRunning); + +- // Set allowed paths for Nasal I/O +- fgInitAllowedPaths(); +- + // Now load the various source files in the Nasal directory + simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal")); + loadScriptDirectory(nasalDir); diff -Nru flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch --- flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch 1970-01-01 00:00:00.000000000 +0000 +++ flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch 2017-08-30 07:04:40.000000000 +0000 @@ -0,0 +1,96 @@ +Description: Security: don't allow FGLogger to overwrite arbitrary files + Since the paths of files written by FGLogger come from the property + tree[1], they must be validated before we decide to write to these + files. + . + [1] Except for the "empty" case, which uses the default name + 'fg_log.csv'. + . + (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679) +Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/ +Author: Florent Rougon + +diff --git a/src/Main/logger.cxx b/src/Main/logger.cxx +index 6c18162c3..32ec850a1 100644 +--- a/src/Main/logger.cxx ++++ b/src/Main/logger.cxx +@@ -9,12 +9,17 @@ + + #include "logger.hxx" + +-#include <fstream> ++#include <ios> + #include <string> ++#include <cstdlib> + + #include <simgear/debug/logstream.hxx> ++#include <simgear/misc/sgstream.hxx> ++#include <simgear/misc/sg_path.hxx> + + #include "fg_props.hxx" ++#include "globals.hxx" ++#include "util.hxx" + + using std::string; + using std::endl; +@@ -59,6 +64,25 @@ FGLogger::init () + child->setStringValue("filename", filename.c_str()); + } + ++ // Security: the path comes from the global Property Tree; it *must* be ++ // validated before we overwrite the file. ++ const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename), ++ /* write */ true); ++ ++ if (authorizedPath.isNull()) { ++ const string propertyPath = child->getChild("filename") ++ ->getPath(/* simplify */ true); ++ const string msg = ++ "The FGLogger logging system, via the '" + propertyPath + "' property, " ++ "was asked to write to '" + filename + "', however this path is not " ++ "authorized for writing anymore for security reasons. " + ++ "Please choose another location, for instance in the $FG_HOME/Export " ++ "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ")."; ++ ++ SG_LOG(SG_GENERAL, SG_ALERT, msg); ++ exit(EXIT_FAILURE); ++ } ++ + string delimiter = child->getStringValue("delimiter"); + if (delimiter.empty()) { + delimiter = ","; +@@ -68,7 +92,8 @@ FGLogger::init () + log.interval_ms = child->getLongValue("interval-ms"); + log.last_time_ms = globals->get_sim_time_sec() * 1000; + log.delimiter = delimiter.c_str()[0]; +- log.output = new std::ofstream(filename.c_str()); ++ // Security: use the return value of fgValidatePath() ++ log.output = new sg_ofstream(authorizedPath, std::ios_base::out); + if (!log.output) { + SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename); + continue; +diff --git a/src/Main/logger.hxx b/src/Main/logger.hxx +index 3d2146a83..0d2b80154 100644 +--- a/src/Main/logger.hxx ++++ b/src/Main/logger.hxx +@@ -6,10 +6,10 @@ + #ifndef __LOGGER_HXX + #define __LOGGER_HXX 1 + +-#include <iosfwd> + #include <vector> + + #include <simgear/compiler.h> ++#include <simgear/misc/sgstream.hxx> + #include <simgear/structure/subsystem_mgr.hxx> + #include <simgear/props/props.hxx> + +@@ -39,7 +39,7 @@ private: + Log (); + virtual ~Log (); + std::vector<SGPropertyNode_ptr> nodes; +- std::ostream * output; ++ sg_ofstream * output; + long interval_ms; + double last_time_ms; + char delimiter; diff -Nru flightgear-2016.4.4+dfsg/debian/patches/series flightgear-2016.4.4+dfsg/debian/patches/series --- flightgear-2016.4.4+dfsg/debian/patches/series 2017-05-19 18:59:56.000000000 +0000 +++ flightgear-2016.4.4+dfsg/debian/patches/series 2017-08-30 06:26:41.000000000 +0000 @@ -4,3 +4,5 @@ spelling_20161121.patch relax_version_check.patch restrict-save-flightplan-secu-fix-19ab09.patch +init-allowed-paths-earlier-secu-fix-f372d7.patch +prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
signature.asc
Description: OpenPGP digital signature