Bug#780716: [pkg-fgfs-crew] Bug#780716: flightgear-data: nasal scripts can ready any file
Hi again, As far as I know, this bug is still present in 3.4.0+dfsg-0~exp1 (from experimental). The fix you applied to unstable (commit d8603af7f98a6394442818d823a79b680b1f9e8b) can be cherry-picked to experimental with minor conflicts (d/changelog and d/patches/series). It seems to work fine here. What do you think? Regards -- Florent -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780716: flightgear-data: nasal scripts can ready any file
Package: flightgear-data Version: 3.0.0-1 Severity: grave Tags: security Upstream has reported two related security issues in how FlightGear restricts what files Nasal (its built-in scripting language for aircraft) can access. This bug is tracking the portion related to the flightgear-data package. -The allowed directories for reading include FG_SCENERY, which can be changed from Nasal via /sim/terrasync/scenery-dir. Effect: Can read any file as the user. Fix: fgdata 60da2094252cee1a5cdfe737f29becd5c6800549 Regards Markus Wanner signature.asc Description: OpenPGP digital signature