Your message dated Wed, 18 Mar 2015 20:20:44 +0000
with message-id <[email protected]>
and subject line Re: Bug#780722: unblock: flightgear-data/3.0.0-3
has caused the Debian Bug report #780722,
regarding unblock: flightgear-data/3.0.0-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
780722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780722
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear release team,
please unblock the package flightgear-data-3.0.0-3 as recently uploaded
to unstable. It fixes a minor security issue by disallowing nasal
scripts read access to the entire filesystem, see #780716. I kept the
packaging changes as minimal as possible. A debdiff and the patch are
both attached for review.
unblock flightgear-data/3.0.0-3
Regards
Markus Wanner
diff -Nru flightgear-data-3.0.0/debian/changelog flightgear-data-3.0.0/debian/changelog
--- flightgear-data-3.0.0/debian/changelog 2014-11-07 17:28:14.000000000 +0100
+++ flightgear-data-3.0.0/debian/changelog 2015-03-18 11:24:45.000000000 +0100
@@ -1,3 +1,11 @@
+flightgear-data (3.0.0-3) unstable; urgency=high
+
+ * Add patch 60da20.patch removing FG_SCENERY from the list of
+ allowed directories to disallow nasal scripts from reading any
+ file as the user. Closes: #780716.
+
+ -- Markus Wanner <[email protected]> Wed, 18 Mar 2015 10:43:34 +0100
+
flightgear-data (3.0.0-2) unstable; urgency=medium
[ Rebecca N. Palmer ]
diff -Nru flightgear-data-3.0.0/debian/patches/60da20.patch flightgear-data-3.0.0/debian/patches/60da20.patch
--- flightgear-data-3.0.0/debian/patches/60da20.patch 1970-01-01 01:00:00.000000000 +0100
+++ flightgear-data-3.0.0/debian/patches/60da20.patch 2015-03-18 11:08:01.000000000 +0100
@@ -0,0 +1,21 @@
+Description: Drop FG_SCENERY from the accepted file access list
+ The allowed directories for reading include FG_SCENERY, which can
+ be changed from Nasal via /sim/terrasync/scenery-dir. Effectively
+ allowing a nasal script to access any file with the user's
+ permission.
+Author: Rebecca N. Palmer <[email protected]>
+Last-Update: 13-03-2015
+Origin: http://sourceforge.net/p/flightgear/fgdata/ci/60da2094252cee1a5cdfe737f29becd5c6800549
+
+diff --git a/Nasal/IOrules b/Nasal/IOrules
+index 71d2f67..ddb0189 100644
+--- a/Nasal/IOrules
++++ b/Nasal/IOrules
+@@ -28,7 +28,6 @@
+ READ ALLOW $FG_ROOT/*
+ READ ALLOW $FG_HOME/*
+ READ ALLOW $FG_AIRCRAFT/*
+-READ ALLOW $FG_SCENERY/*
+
+ WRITE ALLOW /tmp/*.xml
+ WRITE ALLOW $FG_HOME/*.sav
diff -Nru flightgear-data-3.0.0/debian/patches/series flightgear-data-3.0.0/debian/patches/series
--- flightgear-data-3.0.0/debian/patches/series 2014-11-06 20:12:35.000000000 +0100
+++ flightgear-data-3.0.0/debian/patches/series 2015-03-18 10:44:02.000000000 +0100
@@ -1,2 +1,3 @@
766251.patch
translation-update-pt.diff
+60da20.patch
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
On Wed, 2015-03-18 at 12:15 +0100, Markus Wanner wrote:
> please unblock the package flightgear-data-3.0.0-3 as recently uploaded
> to unstable. It fixes a minor security issue by disallowing nasal
> scripts read access to the entire filesystem, see #780716. I kept the
> packaging changes as minimal as possible. A debdiff and the patch are
> both attached for review.
Unblocked, thanks.
Regards,
Adam
--- End Message ---
