Your message dated Wed, 18 Mar 2015 20:20:44 +0000 with message-id <1426710044.1658.20.camel@adam-barratt.org.uk> and subject line Re: Bug#780722: unblock: flightgear-data/3.0.0-3 has caused the Debian Bug report #780722, regarding unblock: flightgear-data/3.0.0-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 780722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780722 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: flightgear-data/3.0.0-3
- From: Markus Wanner <markus@bluegap.ch>
- Date: Wed, 18 Mar 2015 12:15:22 +0100
- Message-id: <[🔎] 55095E4A.3080005@bluegap.ch>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear release team, please unblock the package flightgear-data-3.0.0-3 as recently uploaded to unstable. It fixes a minor security issue by disallowing nasal scripts read access to the entire filesystem, see #780716. I kept the packaging changes as minimal as possible. A debdiff and the patch are both attached for review. unblock flightgear-data/3.0.0-3 Regards Markus Wannerdiff -Nru flightgear-data-3.0.0/debian/changelog flightgear-data-3.0.0/debian/changelog --- flightgear-data-3.0.0/debian/changelog 2014-11-07 17:28:14.000000000 +0100 +++ flightgear-data-3.0.0/debian/changelog 2015-03-18 11:24:45.000000000 +0100 @@ -1,3 +1,11 @@ +flightgear-data (3.0.0-3) unstable; urgency=high + + * Add patch 60da20.patch removing FG_SCENERY from the list of + allowed directories to disallow nasal scripts from reading any + file as the user. Closes: #780716. + + -- Markus Wanner <markus@bluegap.ch> Wed, 18 Mar 2015 10:43:34 +0100 + flightgear-data (3.0.0-2) unstable; urgency=medium [ Rebecca N. Palmer ] diff -Nru flightgear-data-3.0.0/debian/patches/60da20.patch flightgear-data-3.0.0/debian/patches/60da20.patch --- flightgear-data-3.0.0/debian/patches/60da20.patch 1970-01-01 01:00:00.000000000 +0100 +++ flightgear-data-3.0.0/debian/patches/60da20.patch 2015-03-18 11:08:01.000000000 +0100 @@ -0,0 +1,21 @@ +Description: Drop FG_SCENERY from the accepted file access list + The allowed directories for reading include FG_SCENERY, which can + be changed from Nasal via /sim/terrasync/scenery-dir. Effectively + allowing a nasal script to access any file with the user's + permission. +Author: Rebecca N. Palmer <rebecca_palmer@zoho.com> +Last-Update: 13-03-2015 +Origin: http://sourceforge.net/p/flightgear/fgdata/ci/60da2094252cee1a5cdfe737f29becd5c6800549 + +diff --git a/Nasal/IOrules b/Nasal/IOrules +index 71d2f67..ddb0189 100644 +--- a/Nasal/IOrules ++++ b/Nasal/IOrules +@@ -28,7 +28,6 @@ + READ ALLOW $FG_ROOT/* + READ ALLOW $FG_HOME/* + READ ALLOW $FG_AIRCRAFT/* +-READ ALLOW $FG_SCENERY/* + + WRITE ALLOW /tmp/*.xml + WRITE ALLOW $FG_HOME/*.sav diff -Nru flightgear-data-3.0.0/debian/patches/series flightgear-data-3.0.0/debian/patches/series --- flightgear-data-3.0.0/debian/patches/series 2014-11-06 20:12:35.000000000 +0100 +++ flightgear-data-3.0.0/debian/patches/series 2015-03-18 10:44:02.000000000 +0100 @@ -1,2 +1,3 @@ 766251.patch translation-update-pt.diff +60da20.patchAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Markus Wanner <markus@bluegap.ch>, 780722-done@bugs.debian.org
- Subject: Re: Bug#780722: unblock: flightgear-data/3.0.0-3
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Wed, 18 Mar 2015 20:20:44 +0000
- Message-id: <1426710044.1658.20.camel@adam-barratt.org.uk>
- In-reply-to: <[🔎] 55095E4A.3080005@bluegap.ch>
- References: <[🔎] 55095E4A.3080005@bluegap.ch>
On Wed, 2015-03-18 at 12:15 +0100, Markus Wanner wrote: > please unblock the package flightgear-data-3.0.0-3 as recently uploaded > to unstable. It fixes a minor security issue by disallowing nasal > scripts read access to the entire filesystem, see #780716. I kept the > packaging changes as minimal as possible. A debdiff and the patch are > both attached for review. Unblocked, thanks. Regards, Adam
--- End Message ---