Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package flightgear This upload fixes a security RC bug (#862689). The bug is tracked as CVE-2017-8921. unblock flightgear/1:2016.4.4+dfsg-3 Regards, Tobias
diff -Nru flightgear-2016.4.4+dfsg/debian/changelog flightgear-2016.4.4+dfsg/debian/changelog
--- flightgear-2016.4.4+dfsg/debian/changelog 2017-01-24 21:38:55.000000000 +0100
+++ flightgear-2016.4.4+dfsg/debian/changelog 2017-05-19 21:10:15.000000000 +0200
@@ -1,3 +1,12 @@
+flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium
+
+ * Team upload.
+ * Fix RouteMgr security: don't allow overwriting arbitrary files.
+ This fixes CVE-2017-8921.
+ Thanks to Salvatore Bonaccorso <carnil@debian.org> (Closes: #862689)
+
+ -- Dr. Tobias Quathamer <toddy@debian.org> Fri, 19 May 2017 21:10:15 +0200
+
flightgear (1:2016.4.4+dfsg-2) unstable; urgency=medium
* Team upload.
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch
--- flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch 1970-01-01 01:00:00.000000000 +0100
+++ flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch 2017-05-19 21:06:22.000000000 +0200
@@ -0,0 +1,34 @@
+Description: RouteMgr security: don't allow overwriting arbitrary files.
+ The previous fix 280cd523 (included in 2016.4.4) missed commandSaveFlightPlan
+ This fixes CVE-2017-8921.
+ (cherry picked from commit faf872e7f71ca14c567ac7080561fc785d8d2fd0)
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/19ab09406e4249f2c6f8ac51938258d1c51eace0/
+Author: Florent Rougon
+--- a/src/Autopilot/route_mgr.cxx
++++ b/src/Autopilot/route_mgr.cxx
+@@ -73,8 +73,23 @@
+ static bool commandSaveFlightPlan(const SGPropertyNode* arg)
+ {
+ FGRouteMgr* self = (FGRouteMgr*) globals->get_subsystem("route-manager");
+- SGPath path(arg->getStringValue("path"));
+- return self->saveRoute(path);
++ SGPath path = SGPath::fromUtf8(arg->getStringValue("path"));
++ SGPath authorizedPath = fgValidatePath(path, true /* write */);
++
++ if (!authorizedPath.isNull()) {
++ return self->saveRoute(authorizedPath);
++ } else {
++ std::string msg =
++ "The route manager was asked to write the flightplan to '" +
++ path.utf8Str() + "', but this path is not authorized for writing. " +
++ "Please choose another location, for instance in the $FG_HOME/Export "
++ "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++ SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++ modalMessageBox("FlightGear", "Unable to write to the specified file",
++ msg);
++ return false;
++ }
+ }
+
+ static bool commandActivateFlightPlan(const SGPropertyNode* arg)
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/series flightgear-2016.4.4+dfsg/debian/patches/series
--- flightgear-2016.4.4+dfsg/debian/patches/series 2017-01-24 16:49:13.000000000 +0100
+++ flightgear-2016.4.4+dfsg/debian/patches/series 2017-05-19 20:59:56.000000000 +0200
@@ -3,3 +3,4 @@
spelling_20160920.patch
spelling_20161121.patch
relax_version_check.patch
+restrict-save-flightplan-secu-fix-19ab09.patch
Attachment:
signature.asc
Description: OpenPGP digital signature