Bug#780722: unblock: flightgear-data/3.0.0-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#780722: unblock: flightgear-data/3.0.0-3
From: Markus Wanner <markus@bluegap.ch>
Date: Wed, 18 Mar 2015 12:15:22 +0100
Message-id: <[🔎] 55095E4A.3080005@bluegap.ch>
Reply-to: Markus Wanner <markus@bluegap.ch>, 780722@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

please unblock the package flightgear-data-3.0.0-3 as recently uploaded
to unstable. It fixes a minor security issue by disallowing nasal
scripts read access to the entire filesystem, see #780716. I kept the
packaging changes as minimal as possible. A debdiff and the patch are
both attached for review.

unblock flightgear-data/3.0.0-3

Regards

Markus Wanner

diff -Nru flightgear-data-3.0.0/debian/changelog flightgear-data-3.0.0/debian/changelog
--- flightgear-data-3.0.0/debian/changelog	2014-11-07 17:28:14.000000000 +0100
+++ flightgear-data-3.0.0/debian/changelog	2015-03-18 11:24:45.000000000 +0100
@@ -1,3 +1,11 @@
+flightgear-data (3.0.0-3) unstable; urgency=high
+
+  * Add patch 60da20.patch removing FG_SCENERY from the list of
+    allowed directories to disallow nasal scripts from reading any
+    file as the user. Closes: #780716.
+
+ -- Markus Wanner <markus@bluegap.ch>  Wed, 18 Mar 2015 10:43:34 +0100
+
 flightgear-data (3.0.0-2) unstable; urgency=medium
 
   [ Rebecca N. Palmer ]
diff -Nru flightgear-data-3.0.0/debian/patches/60da20.patch flightgear-data-3.0.0/debian/patches/60da20.patch
--- flightgear-data-3.0.0/debian/patches/60da20.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-data-3.0.0/debian/patches/60da20.patch	2015-03-18 11:08:01.000000000 +0100
@@ -0,0 +1,21 @@
+Description: Drop FG_SCENERY from the accepted file access list
+ The allowed directories for reading include FG_SCENERY, which can
+ be changed from Nasal via /sim/terrasync/scenery-dir. Effectively
+ allowing a nasal script to access any file with the user's
+ permission.
+Author: Rebecca N. Palmer <rebecca_palmer@zoho.com>
+Last-Update: 13-03-2015
+Origin: http://sourceforge.net/p/flightgear/fgdata/ci/60da2094252cee1a5cdfe737f29becd5c6800549
+
+diff --git a/Nasal/IOrules b/Nasal/IOrules
+index 71d2f67..ddb0189 100644
+--- a/Nasal/IOrules
++++ b/Nasal/IOrules
+@@ -28,7 +28,6 @@
+ READ ALLOW $FG_ROOT/*
+ READ ALLOW $FG_HOME/*
+ READ ALLOW $FG_AIRCRAFT/*
+-READ ALLOW $FG_SCENERY/*
+ 
+ WRITE ALLOW /tmp/*.xml
+ WRITE ALLOW $FG_HOME/*.sav
diff -Nru flightgear-data-3.0.0/debian/patches/series flightgear-data-3.0.0/debian/patches/series
--- flightgear-data-3.0.0/debian/patches/series	2014-11-06 20:12:35.000000000 +0100
+++ flightgear-data-3.0.0/debian/patches/series	2015-03-18 10:44:02.000000000 +0100
@@ -1,2 +1,3 @@
 766251.patch
 translation-update-pt.diff
+60da20.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#780722: marked as done (unblock: flightgear-data/3.0.0-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#780720: unblock: gnome-boxes/3.14.2-2
Next by Date: Bug#780723: unblock: forked-daapd/22.0-2
Previous by thread: Bug#780720: marked as done (unblock: gnome-boxes/3.14.2-2)
Next by thread: Bug#780722: marked as done (unblock: flightgear-data/3.0.0-3)
Index(es):
- Date
- Thread