Bug#873877: jessie-pu: package flightgear/3.0.0-5+deb8u3

2017-11-19 Thread Markus Wanner 
On 11/19/2017 11:47 PM, Adam D. Barratt wrote:
> Technically it had only been accepted into oldstable-new. I've just
> flagged it for acceptance into opu.

Ah, I didn't fully parse the subject, and the body of the "...change
ACCEPTED into" only said:

> Mapping jessie to oldstable.
> Mapping oldstable to oldstable-proposed-updates.

Thank you for clarification and for taking care.

Kind Regards

Markus Wanner

Bug#873877: jessie-pu: package flightgear/3.0.0-5+deb8u3

2017-11-19 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sun, 2017-11-19 at 15:11 +0100, Markus Wanner wrote:
> On 11/18/2017 07:53 PM, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Thu, 2017-08-31 at 21:55 +0200, Markus Wanner wrote:
> > > here's an update for jessie, fixing #873439 (CVE-2017-13709).
> > > It's
> > > based on a patch and debdiff by Florent Rougon. The corresponding
> > > stretch-pu request is #873754.
> > > 
> > 
> > Please go ahead; sorry for not getting back to you sooner.
> 
> No problem.
> 
> I updated the timestamp and also added a "Closes: #873439" to the
> changelog. I hope that change is still acceptable.
> 
> The upload has been accepted into oldstable-proposed-updates.

Technically it had only been accepted into oldstable-new. I've just
flagged it for acceptance into opu.

Regards,

Adam

Bug#873877: jessie-pu: package flightgear/3.0.0-5+deb8u3

2017-11-19 Thread Markus Wanner 
On 11/18/2017 07:53 PM, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2017-08-31 at 21:55 +0200, Markus Wanner wrote:
>> here's an update for jessie, fixing #873439 (CVE-2017-13709). It's
>> based on a patch and debdiff by Florent Rougon. The corresponding
>> stretch-pu request is #873754.
>>
> 
> Please go ahead; sorry for not getting back to you sooner.

No problem.

I updated the timestamp and also added a "Closes: #873439" to the
changelog. I hope that change is still acceptable.

The upload has been accepted into oldstable-proposed-updates.

Kind Regards

Markus Wanner

Bug#873877: jessie-pu: package flightgear/3.0.0-5+deb8u3

2017-11-18 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Thu, 2017-08-31 at 21:55 +0200, Markus Wanner wrote:
> here's an update for jessie, fixing #873439 (CVE-2017-13709). It's
> based on a patch and debdiff by Florent Rougon. The corresponding
> stretch-pu request is #873754.
> 

Please go ahead; sorry for not getting back to you sooner.

Regards,

Adam

Bug#873877: jessie-pu: package flightgear/3.0.0-5+deb8u3

2017-08-31 Thread Markus Wanner 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear Release Team,

here's an update for jessie, fixing #873439 (CVE-2017-13709). It's based
on a patch and debdiff by Florent Rougon. The corresponding stretch-pu
request is #873754.

A bit about the security issue: Malicious add-ons could write arbitrary
user's files, possibly even executable ones. The fix is in two parts,
back-ported to older releases by Florent Rougon.

Please verify the attached debdiff for fixing the issue in jessie with
the next point release.

Kind Regards

Markus Wanner
diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog   2017-07-02 14:39:08.0 +0200
+++ flightgear-3.0.0/debian/changelog   2017-08-31 09:09:03.0 +0200
@@ -1,3 +1,16 @@
+flightgear (3.0.0-5+deb8u3) jessie; urgency=high
+
+  [ Florent Rougon ]
+  * Add two patches for CVE-2017-13709:
+  - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next
+patch)
+  - CVE-2017-13709-FGLogger-2a5e3d.patch
+
+  [ Markus Wanner ]
+  * Massage patch meta information to fit DEP-3.
+
+ -- Markus Wanner   Thu, 31 Aug 2017 21:44:41 +0200
+
 flightgear (3.0.0-5+deb8u2) jessie; urgency=high
 
   * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
diff -Nru 
flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch 
flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch
--- 
flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch
1970-01-01 01:00:00.0 +0100
+++ 
flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch
2017-08-31 08:56:58.0 +0200
@@ -0,0 +1,54 @@
+Description: Call fgInitAllowedPaths earlier: after Options::processOptions
+ Call fgInitAllowedPaths() right after Options::processOptions() (which,
+ among other things, determines $FG_ROOT and processes
+ --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+ more code, such as when initializing subsystems.
+ .
+ (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+Forwarded: not-needed
+Author: Florent Rougon 
+
+--- a/src/Main/fg_init.cxx
 b/src/Main/fg_init.cxx
+@@ -1023,7 +1023,12 @@
+ fgGetNode("/sim")->removeChild("aircraft-dir");
+ fgInitAircraft(true);
+ flightgear::Options::sharedInstance()->processOptions();
+-
++
++// Rebuild the lists of allowed paths for cases where a path comes from an
++// untrusted source, such as the global property tree (this uses $FG_HOME
++// and other paths set by Options::processOptions()).
++fgInitAllowedPaths();
++
+ render = new FGRenderer;
+ render->setEventHandler(eventHandler);
+ globals->set_renderer(render);
+--- a/src/Main/main.cxx
 b/src/Main/main.cxx
+@@ -461,7 +461,12 @@
+ } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+ return EXIT_SUCCESS;
+ }
+-
++
++// Set the lists of allowed paths for cases where a path comes from an
++// untrusted source, such as the global property tree (this uses $FG_HOME
++// and other paths set by Options::processOptions()).
++fgInitAllowedPaths();
++
+ // Initialize the Window/Graphics environment.
+ fgOSInit(&argc, argv);
+ _bootstrap_OSInit++;
+--- a/src/Scripting/NasalSys.cxx
 b/src/Scripting/NasalSys.cxx
+@@ -800,9 +800,6 @@
+   .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+   .member("isRunning", &TimerObj::isRunning);
+ 
+-// Set allowed paths for Nasal I/O
+-fgInitAllowedPaths();
+-
+ // Now load the various source files in the Nasal directory
+ simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+ loadScriptDirectory(nasalDir);
diff -Nru flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch 
flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch
--- flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch
1970-01-01 01:00:00.0 +0100
+++ flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch
2017-08-31 08:57:36.0 +0200
@@ -0,0 +1,68 @@
+Description: Security: don't allow FGLogger to overwrite arbitrary files
+ Since the paths of files written by FGLogger come from the property
+ tree[1], they must be validated before we decide to write to these
+ files.
+ .
+ [1] Except for the "empty" case, which uses the default name
+ 'fg_log.csv'.
+ .
+ This fixes CVE-2017-13709.
+ .
+ (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+Forwarded: not-needed
+Author: Florent Rougon 
+
+--- a/src/Main/logger.cxx
 b/src/Main/logger.cxx
+@@ -11,10 +11,14 @@
+ 
+ #include 
+ #include 
++#include 
+ 
+ #include 
++#include 
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::end