Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: jessie Severity: normal
Dear Release Team, yet another security fix for flightgear, that's not worth a DSA according to Salvatore Bonaccorso. A bit about the security issue: Malicious add-ons could write arbitrary user's files, possibly even executable ones. The fix is in two parts, back-ported to older releases by Florent Rougon. Please verify the attached debdiff for fixing the issue in stretch with the next point release. Kind Regards Markus Wanner
diff -Nru flightgear-2016.4.4+dfsg/debian/changelog
flightgear-2016.4.4+dfsg/debian/changelog
--- flightgear-2016.4.4+dfsg/debian/changelog 2017-05-19 19:10:15.000000000
+0000
+++ flightgear-2016.4.4+dfsg/debian/changelog 2017-08-30 16:06:14.000000000
+0000
@@ -1,3 +1,12 @@
+flightgear (1:2016.4.4+dfsg-3+deb9u1) stable; urgency=medium
+
+ * Add patches init-allowed-paths-earlier-secu-fix-f372d7.patch and
+ prevent-arbitrary-file-writes-secu-fix-58d8e1.patch: prevent
+ malicious add-ons from overriding arbitrary files.
+ Closes: #873439 (CVE-2017-13709)
+
+ -- Markus Wanner <mar...@bluegap.ch> Wed, 30 Aug 2017 18:06:14 +0200
+
flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium
* Team upload.
diff -Nru
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
---
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
1970-01-01 00:00:00.000000000 +0000
+++
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
2017-08-30 07:03:19.000000000 +0000
@@ -0,0 +1,62 @@
+Description: Call fgInitAllowedPaths earlier: after Options::processOptions
+ Call fgInitAllowedPaths() right after Options::processOptions() (which,
+ among other things, determines $FG_ROOT and processes
+ --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+ more code, such as when initializing subsystems.
+ .
+ (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+ .
+ In preparation for the real security fix following this commit.
+Origin: upstream,
https://sourceforge.net/p/flightgear/flightgear/ci/f372d7548ad7114aed14135dcc566ea326c24beb/
+Author: Florent Rougon
+
+diff --git a/src/Main/fg_init.cxx b/src/Main/fg_init.cxx
+index ea9d9b5ef..47987a363 100644
+--- a/src/Main/fg_init.cxx
++++ b/src/Main/fg_init.cxx
+@@ -1070,7 +1070,12 @@ void fgStartNewReset()
+ fgInitGeneral(); // all of this?
+
+ flightgear::Options::sharedInstance()->processOptions();
+-
++
++ // Rebuild the lists of allowed paths for cases where a path comes from an
++ // untrusted source, such as the global property tree (this uses $FG_HOME
++ // and other paths set by Options::processOptions()).
++ fgInitAllowedPaths();
++
+ // PRESERVED properties over-write state from options, intentionally
+ if ( copyProperties(preserved, globals->get_props()) ) {
+ SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully"
);
+diff --git a/src/Main/main.cxx b/src/Main/main.cxx
+index bed7e2954..fd2fb575c 100644
+--- a/src/Main/main.cxx
++++ b/src/Main/main.cxx
+@@ -515,7 +515,12 @@ int fgMainInit( int argc, char **argv )
+ } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+ return EXIT_SUCCESS;
+ }
+-
++
++ // Set the lists of allowed paths for cases where a path comes from an
++ // untrusted source, such as the global property tree (this uses $FG_HOME
++ // and other paths set by Options::processOptions()).
++ fgInitAllowedPaths();
++
+ // Initialize the Window/Graphics environment.
+ fgOSInit(&argc, argv);
+ _bootstrap_OSInit++;
+diff --git a/src/Scripting/NasalSys.cxx b/src/Scripting/NasalSys.cxx
+index 1002b08dc..6c6fa1b48 100644
+--- a/src/Scripting/NasalSys.cxx
++++ b/src/Scripting/NasalSys.cxx
+@@ -886,9 +886,6 @@ void FGNasalSys::init()
+ .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+ .member("isRunning", &TimerObj::isRunning);
+
+- // Set allowed paths for Nasal I/O
+- fgInitAllowedPaths();
+-
+ // Now load the various source files in the Nasal directory
+ simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+ loadScriptDirectory(nasalDir);
diff -Nru
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
---
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
1970-01-01 00:00:00.000000000 +0000
+++
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
2017-08-30 07:04:40.000000000 +0000
@@ -0,0 +1,96 @@
+Description: Security: don't allow FGLogger to overwrite arbitrary files
+ Since the paths of files written by FGLogger come from the property
+ tree[1], they must be validated before we decide to write to these
+ files.
+ .
+ [1] Except for the "empty" case, which uses the default name
+ 'fg_log.csv'.
+ .
+ (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+Origin: upstream,
https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/
+Author: Florent Rougon
+
+diff --git a/src/Main/logger.cxx b/src/Main/logger.cxx
+index 6c18162c3..32ec850a1 100644
+--- a/src/Main/logger.cxx
++++ b/src/Main/logger.cxx
+@@ -9,12 +9,17 @@
+
+ #include "logger.hxx"
+
+-#include <fstream>
++#include <ios>
+ #include <string>
++#include <cstdlib>
+
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/misc/sgstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+
+ using std::string;
+ using std::endl;
+@@ -59,6 +64,25 @@ FGLogger::init ()
+ child->setStringValue("filename", filename.c_str());
+ }
+
++ // Security: the path comes from the global Property Tree; it *must* be
++ // validated before we overwrite the file.
++ const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename),
++ /* write */ true);
++
++ if (authorizedPath.isNull()) {
++ const string propertyPath = child->getChild("filename")
++ ->getPath(/* simplify */ true);
++ const string msg =
++ "The FGLogger logging system, via the '" + propertyPath + "'
property, "
++ "was asked to write to '" + filename + "', however this path is not "
++ "authorized for writing anymore for security reasons. " +
++ "Please choose another location, for instance in the $FG_HOME/Export "
++ "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++ SG_LOG(SG_GENERAL, SG_ALERT, msg);
++ exit(EXIT_FAILURE);
++ }
++
+ string delimiter = child->getStringValue("delimiter");
+ if (delimiter.empty()) {
+ delimiter = ",";
+@@ -68,7 +92,8 @@ FGLogger::init ()
+ log.interval_ms = child->getLongValue("interval-ms");
+ log.last_time_ms = globals->get_sim_time_sec() * 1000;
+ log.delimiter = delimiter.c_str()[0];
+- log.output = new std::ofstream(filename.c_str());
++ // Security: use the return value of fgValidatePath()
++ log.output = new sg_ofstream(authorizedPath, std::ios_base::out);
+ if (!log.output) {
+ SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+ continue;
+diff --git a/src/Main/logger.hxx b/src/Main/logger.hxx
+index 3d2146a83..0d2b80154 100644
+--- a/src/Main/logger.hxx
++++ b/src/Main/logger.hxx
+@@ -6,10 +6,10 @@
+ #ifndef __LOGGER_HXX
+ #define __LOGGER_HXX 1
+
+-#include <iosfwd>
+ #include <vector>
+
+ #include <simgear/compiler.h>
++#include <simgear/misc/sgstream.hxx>
+ #include <simgear/structure/subsystem_mgr.hxx>
+ #include <simgear/props/props.hxx>
+
+@@ -39,7 +39,7 @@ private:
+ Log ();
+ virtual ~Log ();
+ std::vector<SGPropertyNode_ptr> nodes;
+- std::ostream * output;
++ sg_ofstream * output;
+ long interval_ms;
+ double last_time_ms;
+ char delimiter;
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/series
flightgear-2016.4.4+dfsg/debian/patches/series
--- flightgear-2016.4.4+dfsg/debian/patches/series 2017-05-19
18:59:56.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/series 2017-08-30
06:26:41.000000000 +0000
@@ -4,3 +4,5 @@
spelling_20161121.patch
relax_version_check.patch
restrict-save-flightplan-secu-fix-19ab09.patch
+init-allowed-paths-earlier-secu-fix-f372d7.patch
+prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
signature.asc
Description: OpenPGP digital signature
