[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780722: marked as done (unblock: flightgear-data/3.0.0-3)



Your message dated Wed, 18 Mar 2015 20:20:44 +0000
with message-id <1426710044.1658.20.camel@adam-barratt.org.uk>
and subject line Re: Bug#780722: unblock: flightgear-data/3.0.0-3
has caused the Debian Bug report #780722,
regarding unblock: flightgear-data/3.0.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780722
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

please unblock the package flightgear-data-3.0.0-3 as recently uploaded
to unstable. It fixes a minor security issue by disallowing nasal
scripts read access to the entire filesystem, see #780716. I kept the
packaging changes as minimal as possible. A debdiff and the patch are
both attached for review.

unblock flightgear-data/3.0.0-3

Regards

Markus Wanner
diff -Nru flightgear-data-3.0.0/debian/changelog flightgear-data-3.0.0/debian/changelog
--- flightgear-data-3.0.0/debian/changelog	2014-11-07 17:28:14.000000000 +0100
+++ flightgear-data-3.0.0/debian/changelog	2015-03-18 11:24:45.000000000 +0100
@@ -1,3 +1,11 @@
+flightgear-data (3.0.0-3) unstable; urgency=high
+
+  * Add patch 60da20.patch removing FG_SCENERY from the list of
+    allowed directories to disallow nasal scripts from reading any
+    file as the user. Closes: #780716.
+
+ -- Markus Wanner <markus@bluegap.ch>  Wed, 18 Mar 2015 10:43:34 +0100
+
 flightgear-data (3.0.0-2) unstable; urgency=medium
 
   [ Rebecca N. Palmer ]
diff -Nru flightgear-data-3.0.0/debian/patches/60da20.patch flightgear-data-3.0.0/debian/patches/60da20.patch
--- flightgear-data-3.0.0/debian/patches/60da20.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-data-3.0.0/debian/patches/60da20.patch	2015-03-18 11:08:01.000000000 +0100
@@ -0,0 +1,21 @@
+Description: Drop FG_SCENERY from the accepted file access list
+ The allowed directories for reading include FG_SCENERY, which can
+ be changed from Nasal via /sim/terrasync/scenery-dir. Effectively
+ allowing a nasal script to access any file with the user's
+ permission.
+Author: Rebecca N. Palmer <rebecca_palmer@zoho.com>
+Last-Update: 13-03-2015
+Origin: http://sourceforge.net/p/flightgear/fgdata/ci/60da2094252cee1a5cdfe737f29becd5c6800549
+
+diff --git a/Nasal/IOrules b/Nasal/IOrules
+index 71d2f67..ddb0189 100644
+--- a/Nasal/IOrules
++++ b/Nasal/IOrules
+@@ -28,7 +28,6 @@
+ READ ALLOW $FG_ROOT/*
+ READ ALLOW $FG_HOME/*
+ READ ALLOW $FG_AIRCRAFT/*
+-READ ALLOW $FG_SCENERY/*
+ 
+ WRITE ALLOW /tmp/*.xml
+ WRITE ALLOW $FG_HOME/*.sav
diff -Nru flightgear-data-3.0.0/debian/patches/series flightgear-data-3.0.0/debian/patches/series
--- flightgear-data-3.0.0/debian/patches/series	2014-11-06 20:12:35.000000000 +0100
+++ flightgear-data-3.0.0/debian/patches/series	2015-03-18 10:44:02.000000000 +0100
@@ -1,2 +1,3 @@
 766251.patch
 translation-update-pt.diff
+60da20.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message ---
On Wed, 2015-03-18 at 12:15 +0100, Markus Wanner wrote:
> please unblock the package flightgear-data-3.0.0-3 as recently uploaded
> to unstable. It fixes a minor security issue by disallowing nasal
> scripts read access to the entire filesystem, see #780716. I kept the
> packaging changes as minimal as possible. A debdiff and the patch are
> both attached for review.

Unblocked, thanks.

Regards,

Adam

--- End Message ---

Reply to: