Bug#873439: [pkg-fgfs-crew] Bug#873439: flightgear: CVE-2017-13709: Incorrect access control

2017-09-01 Thread Markus Wanner 
Hi,

while this has been fixed in unstable, I have also requested to upload
to stable and unstable. Here are the issues and versions for reference:

stable:#873754 1:2016.4.4+dfsg-3+deb9u1
oldstable: #873877 3.0.0-5+deb8u3

Assuming the release team approves the uploads, the fix should enter
Debian stable and oldstable with the next point release.

Kind Regards

Markus Wanner



signature.asc
Description: OpenPGP digital signature

Bug#873439: [pkg-fgfs-crew] Bug#873439: flightgear: CVE-2017-13709: Incorrect access control

2017-08-28 Thread Florent Rougon 
Hi,

For stretch, the last two commits of upstream branch release/2016.4:

  https://sourceforge.net/p/flightgear/flightgear/ci/release/2016.4/~/tree/

should do the job (as already said in other mails, and ditto for
unstable with the release/2017.2 branch).

For jessie (it's also affected), I successfully built FG in a
jessie-amd64 pbuilder chroot with the attached source debdiff. You'll
certainly want to make the patch headers DEP-3-compliant and arrange
debian/changelog (at least the version number), but the C++ side should
be fine with these changes. I only tested the build in this old version:
no runtime test, but I don't expect any particular problem. :)

Regards

-- 
Florent
diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog	2017-07-02 14:39:08.0 +0200
+++ flightgear-3.0.0/debian/changelog	2017-08-28 18:07:28.0 +0200
@@ -1,3 +1,13 @@
+flightgear (3.0.0-5+deb8u3+frougon0) jessie; urgency=high
+
+  * Add two patches for CVE-2017-13709:
+  - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next
+patch)
+  - CVE-2017-13709-FGLogger-2a5e3d.patch
+  * The patch headers are not in the Debian DEP-3 format, this needs fixing.
+
+ -- Florent Rougon   Mon, 28 Aug 2017 18:07:28 +0200
+
 flightgear (3.0.0-5+deb8u2) jessie; urgency=high
 
   * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
diff -Nru flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch
--- flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	1970-01-01 01:00:00.0 +0100
+++ flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	2017-08-28 18:07:28.0 +0200
@@ -0,0 +1,55 @@
+Author: Florent Rougon 
+
+Call fgInitAllowedPaths() earlier: after Options::processOptions()
+
+Call fgInitAllowedPaths() right after Options::processOptions() (which,
+among other things, determines $FG_ROOT and processes
+--allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+more code, such as when initializing subsystems.
+
+(cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+
+--- a/src/Main/fg_init.cxx
 b/src/Main/fg_init.cxx
+@@ -1023,7 +1023,12 @@
+ fgGetNode("/sim")->removeChild("aircraft-dir");
+ fgInitAircraft(true);
+ flightgear::Options::sharedInstance()->processOptions();
+-
++
++// Rebuild the lists of allowed paths for cases where a path comes from an
++// untrusted source, such as the global property tree (this uses $FG_HOME
++// and other paths set by Options::processOptions()).
++fgInitAllowedPaths();
++
+ render = new FGRenderer;
+ render->setEventHandler(eventHandler);
+ globals->set_renderer(render);
+--- a/src/Main/main.cxx
 b/src/Main/main.cxx
+@@ -461,7 +461,12 @@
+ } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+ return EXIT_SUCCESS;
+ }
+-
++
++// Set the lists of allowed paths for cases where a path comes from an
++// untrusted source, such as the global property tree (this uses $FG_HOME
++// and other paths set by Options::processOptions()).
++fgInitAllowedPaths();
++
+ // Initialize the Window/Graphics environment.
+ fgOSInit(, argv);
+ _bootstrap_OSInit++;
+--- a/src/Scripting/NasalSys.cxx
 b/src/Scripting/NasalSys.cxx
+@@ -800,9 +800,6 @@
+   .member("singleShot", ::isSingleShot, ::setSingleShot)
+   .member("isRunning", ::isRunning);
+ 
+-// Set allowed paths for Nasal I/O
+-fgInitAllowedPaths();
+-
+ // Now load the various source files in the Nasal directory
+ simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+ loadScriptDirectory(nasalDir);
diff -Nru flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch
--- flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	1970-01-01 01:00:00.0 +0100
+++ flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	2017-08-28 18:07:28.0 +0200
@@ -0,0 +1,69 @@
+Author: Florent Rougon 
+
+Security: don't allow FGLogger to overwrite arbitrary files
+
+Since the paths of files written by FGLogger come from the property
+tree[1], they must be validated before we decide to write to these
+files.
+
+[1] Except for the "empty" case, which uses the default name
+'fg_log.csv'.
+
+This fixes CVE-2017-13709.
+
+(cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+
+--- a/src/Main/logger.cxx
 b/src/Main/logger.cxx
+@@ -11,10 +11,14 @@
+ 
+ #include 
+ #include 
++#include 
+ 
+ #include 
++#include 
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using