Dear Release Team, as per Salvatore Bonaccorso, the current security fix doesn't warrant a DSA on its own (see below). Is it okay to upload to 'stable'? Or how shall I proceed? A debdiff is attached. Kind Regards Markus Wanner On 17.05.2017 08:49, Moritz Muehlenhoff wrote: > On Wed, May 17, 2017 at 07:20:15AM +0200, Salvatore Bonaccorso wrote: >> Hi Markus, >> >> On Fri, May 12, 2017 at 07:57:23PM +0200, Markus Wanner wrote: >>> Florent, >>> >>> On 05/12/2017 07:33 PM, Florent Rougon wrote: >>>> We'd like to draw your attention on the following fix for FlightGear: >>> >>> thanks for your heads-up, I'll take care of preparing an upload for the >>> affected Debian packages. >> >> Thanks. Filled as well #862689 in the BTS in meanwhile. >> >> For stable: We think this does need a DSA on its own, can you schedule > ^ not > > :-) > > Cheers, > Moritz >
diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog 2016-12-14 09:43:00.000000000 +0000
+++ flightgear-3.0.0/debian/changelog 2017-05-17 10:46:18.000000000 +0000
@@ -1,3 +1,11 @@
+flightgear (3.0.0-5+deb8u2) stable; urgency=high
+
+ * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
+ overriding arbitrary files from the "save-flightplan" FGCommand.
+ Closes: #862689 (CVE-2017-8921).
+
+ -- Markus Wanner <markus@bluegap.ch> Tue, 16 May 2017 21:37:27 +0200
+
flightgear (3.0.0-5+deb8u1) jessie-security; urgency=high
* Add patch route-manager-secu-fix-280cd5.patch (security fix preventing
diff -Nru flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch
--- flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch 1970-01-01 00:00:00.000000000 +0000
+++ flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch 2017-05-17 09:16:50.000000000 +0000
@@ -0,0 +1,36 @@
+Description: Security fix: don't allow overwriting arbitrary files
+ the previous fix 280cd523 missed commandSaveFlightPlan
+ .
+ backported from faf872e7, fixes CVE-2017-8921.
+Author: Rebecca N. Palmer <rebecca_palmer@zoho.com>
+ Florent Rougon <f.rougon@free.fr>
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/c8250b10bb9a116889f831d2299678b0ef70fec2/
+
+--- a/src/Autopilot/route_mgr.cxx
++++ b/src/Autopilot/route_mgr.cxx
+@@ -75,7 +75,24 @@
+ {
+ FGRouteMgr* self = (FGRouteMgr*) globals->get_subsystem("route-manager");
+ SGPath path(arg->getStringValue("path"));
+- return self->saveRoute(path);
++ const std::string authorizedPath = fgValidatePath(path.realpath(),
++ true /* write */);
++
++ if (!authorizedPath.empty()) {
++ return self->saveRoute(SGPath(authorizedPath));
++ } else {
++ const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++ std::string msg =
++ "The route manager was asked to write the flightplan to '" +
++ path.str() + "', but this path is not authorized for writing. " +
++ "Please choose another location, for instance in the $FG_HOME/Export "
++ "folder (" + proposedPath.str() + ").";
++
++ SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++ modalMessageBox("FlightGear", "Unable to write to the specified file",
++ msg);
++ return false;
++ }
+ }
+
+ static bool commandActivateFlightPlan(const SGPropertyNode* arg)
diff -Nru flightgear-3.0.0/debian/patches/series flightgear-3.0.0/debian/patches/series
--- flightgear-3.0.0/debian/patches/series 2016-12-14 09:13:44.000000000 +0000
+++ flightgear-3.0.0/debian/patches/series 2017-05-16 20:18:39.000000000 +0000
@@ -5,3 +5,4 @@
6a30e7.patch
route-manager-secu-fix-280cd5.patch
fix-missing-lX11-in-link-commands.patch
+restrict-save-flightplan-secu-fix-faf872.patch
Attachment:
signature.asc
Description: OpenPGP digital signature