Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <[email protected]>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #873754,
regarding stretch-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
873754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873754
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
User: [email protected]
Usertags: pu
Tags: jessie
Severity: normal
Dear Release Team,
yet another security fix for flightgear, that's not worth a DSA
according to Salvatore Bonaccorso.
A bit about the security issue: Malicious add-ons could write arbitrary
user's files, possibly even executable ones. The fix is in two parts,
back-ported to older releases by Florent Rougon.
Please verify the attached debdiff for fixing the issue in stretch with
the next point release.
Kind Regards
Markus Wanner
diff -Nru flightgear-2016.4.4+dfsg/debian/changelog
flightgear-2016.4.4+dfsg/debian/changelog
--- flightgear-2016.4.4+dfsg/debian/changelog 2017-05-19 19:10:15.000000000
+0000
+++ flightgear-2016.4.4+dfsg/debian/changelog 2017-08-30 16:06:14.000000000
+0000
@@ -1,3 +1,12 @@
+flightgear (1:2016.4.4+dfsg-3+deb9u1) stable; urgency=medium
+
+ * Add patches init-allowed-paths-earlier-secu-fix-f372d7.patch and
+ prevent-arbitrary-file-writes-secu-fix-58d8e1.patch: prevent
+ malicious add-ons from overriding arbitrary files.
+ Closes: #873439 (CVE-2017-13709)
+
+ -- Markus Wanner <[email protected]> Wed, 30 Aug 2017 18:06:14 +0200
+
flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium
* Team upload.
diff -Nru
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
---
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
1970-01-01 00:00:00.000000000 +0000
+++
flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
2017-08-30 07:03:19.000000000 +0000
@@ -0,0 +1,62 @@
+Description: Call fgInitAllowedPaths earlier: after Options::processOptions
+ Call fgInitAllowedPaths() right after Options::processOptions() (which,
+ among other things, determines $FG_ROOT and processes
+ --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+ more code, such as when initializing subsystems.
+ .
+ (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+ .
+ In preparation for the real security fix following this commit.
+Origin: upstream,
https://sourceforge.net/p/flightgear/flightgear/ci/f372d7548ad7114aed14135dcc566ea326c24beb/
+Author: Florent Rougon
+
+diff --git a/src/Main/fg_init.cxx b/src/Main/fg_init.cxx
+index ea9d9b5ef..47987a363 100644
+--- a/src/Main/fg_init.cxx
++++ b/src/Main/fg_init.cxx
+@@ -1070,7 +1070,12 @@ void fgStartNewReset()
+ fgInitGeneral(); // all of this?
+
+ flightgear::Options::sharedInstance()->processOptions();
+-
++
++ // Rebuild the lists of allowed paths for cases where a path comes from an
++ // untrusted source, such as the global property tree (this uses $FG_HOME
++ // and other paths set by Options::processOptions()).
++ fgInitAllowedPaths();
++
+ // PRESERVED properties over-write state from options, intentionally
+ if ( copyProperties(preserved, globals->get_props()) ) {
+ SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully"
);
+diff --git a/src/Main/main.cxx b/src/Main/main.cxx
+index bed7e2954..fd2fb575c 100644
+--- a/src/Main/main.cxx
++++ b/src/Main/main.cxx
+@@ -515,7 +515,12 @@ int fgMainInit( int argc, char **argv )
+ } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+ return EXIT_SUCCESS;
+ }
+-
++
++ // Set the lists of allowed paths for cases where a path comes from an
++ // untrusted source, such as the global property tree (this uses $FG_HOME
++ // and other paths set by Options::processOptions()).
++ fgInitAllowedPaths();
++
+ // Initialize the Window/Graphics environment.
+ fgOSInit(&argc, argv);
+ _bootstrap_OSInit++;
+diff --git a/src/Scripting/NasalSys.cxx b/src/Scripting/NasalSys.cxx
+index 1002b08dc..6c6fa1b48 100644
+--- a/src/Scripting/NasalSys.cxx
++++ b/src/Scripting/NasalSys.cxx
+@@ -886,9 +886,6 @@ void FGNasalSys::init()
+ .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+ .member("isRunning", &TimerObj::isRunning);
+
+- // Set allowed paths for Nasal I/O
+- fgInitAllowedPaths();
+-
+ // Now load the various source files in the Nasal directory
+ simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+ loadScriptDirectory(nasalDir);
diff -Nru
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
---
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
1970-01-01 00:00:00.000000000 +0000
+++
flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
2017-08-30 07:04:40.000000000 +0000
@@ -0,0 +1,96 @@
+Description: Security: don't allow FGLogger to overwrite arbitrary files
+ Since the paths of files written by FGLogger come from the property
+ tree[1], they must be validated before we decide to write to these
+ files.
+ .
+ [1] Except for the "empty" case, which uses the default name
+ 'fg_log.csv'.
+ .
+ (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+Origin: upstream,
https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/
+Author: Florent Rougon
+
+diff --git a/src/Main/logger.cxx b/src/Main/logger.cxx
+index 6c18162c3..32ec850a1 100644
+--- a/src/Main/logger.cxx
++++ b/src/Main/logger.cxx
+@@ -9,12 +9,17 @@
+
+ #include "logger.hxx"
+
+-#include <fstream>
++#include <ios>
+ #include <string>
++#include <cstdlib>
+
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/misc/sgstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+
+ using std::string;
+ using std::endl;
+@@ -59,6 +64,25 @@ FGLogger::init ()
+ child->setStringValue("filename", filename.c_str());
+ }
+
++ // Security: the path comes from the global Property Tree; it *must* be
++ // validated before we overwrite the file.
++ const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename),
++ /* write */ true);
++
++ if (authorizedPath.isNull()) {
++ const string propertyPath = child->getChild("filename")
++ ->getPath(/* simplify */ true);
++ const string msg =
++ "The FGLogger logging system, via the '" + propertyPath + "'
property, "
++ "was asked to write to '" + filename + "', however this path is not "
++ "authorized for writing anymore for security reasons. " +
++ "Please choose another location, for instance in the $FG_HOME/Export "
++ "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++ SG_LOG(SG_GENERAL, SG_ALERT, msg);
++ exit(EXIT_FAILURE);
++ }
++
+ string delimiter = child->getStringValue("delimiter");
+ if (delimiter.empty()) {
+ delimiter = ",";
+@@ -68,7 +92,8 @@ FGLogger::init ()
+ log.interval_ms = child->getLongValue("interval-ms");
+ log.last_time_ms = globals->get_sim_time_sec() * 1000;
+ log.delimiter = delimiter.c_str()[0];
+- log.output = new std::ofstream(filename.c_str());
++ // Security: use the return value of fgValidatePath()
++ log.output = new sg_ofstream(authorizedPath, std::ios_base::out);
+ if (!log.output) {
+ SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+ continue;
+diff --git a/src/Main/logger.hxx b/src/Main/logger.hxx
+index 3d2146a83..0d2b80154 100644
+--- a/src/Main/logger.hxx
++++ b/src/Main/logger.hxx
+@@ -6,10 +6,10 @@
+ #ifndef __LOGGER_HXX
+ #define __LOGGER_HXX 1
+
+-#include <iosfwd>
+ #include <vector>
+
+ #include <simgear/compiler.h>
++#include <simgear/misc/sgstream.hxx>
+ #include <simgear/structure/subsystem_mgr.hxx>
+ #include <simgear/props/props.hxx>
+
+@@ -39,7 +39,7 @@ private:
+ Log ();
+ virtual ~Log ();
+ std::vector<SGPropertyNode_ptr> nodes;
+- std::ostream * output;
++ sg_ofstream * output;
+ long interval_ms;
+ double last_time_ms;
+ char delimiter;
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/series
flightgear-2016.4.4+dfsg/debian/patches/series
--- flightgear-2016.4.4+dfsg/debian/patches/series 2017-05-19
18:59:56.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/series 2017-08-30
06:26:41.000000000 +0000
@@ -4,3 +4,5 @@
spelling_20161121.patch
relax_version_check.patch
restrict-save-flightplan-secu-fix-19ab09.patch
+init-allowed-paths-earlier-secu-fix-f372d7.patch
+prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 9.3
Hi,
Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!
Regards,
Adam
--- End Message ---
