Bug#862996: marked as done (unblock: flightgear/1:2016.4.4+dfsg-3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 20 May 2017 06:06:00 +0000
with message-id <f52a3522-bf48-20e5-38c1-72e7da71609b@thykier.net>
and subject line Re: Bug#862996: unblock: flightgear/1:2016.4.4+dfsg-3
has caused the Debian Bug report #862996,
regarding unblock: flightgear/1:2016.4.4+dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862996: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862996
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: flightgear/1:2016.4.4+dfsg-3
• From: "Dr. Tobias Quathamer" <toddy@debian.org>
• Date: Fri, 19 May 2017 21:25:39 +0200
• Message-id: <[🔎] 3109350f-7bbb-ef7e-b629-34a0d1cc6f5b@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package flightgear

This upload fixes a security RC bug (#862689). The bug is
tracked as CVE-2017-8921.

unblock flightgear/1:2016.4.4+dfsg-3

Regards,
Tobias

diff -Nru flightgear-2016.4.4+dfsg/debian/changelog flightgear-2016.4.4+dfsg/debian/changelog
--- flightgear-2016.4.4+dfsg/debian/changelog	2017-01-24 21:38:55.000000000 +0100
+++ flightgear-2016.4.4+dfsg/debian/changelog	2017-05-19 21:10:15.000000000 +0200
@@ -1,3 +1,12 @@
+flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium
+
+  * Team upload.
+  * Fix RouteMgr security: don't allow overwriting arbitrary files.
+    This fixes CVE-2017-8921.
+    Thanks to Salvatore Bonaccorso <carnil@debian.org> (Closes: #862689)
+
+ -- Dr. Tobias Quathamer <toddy@debian.org>  Fri, 19 May 2017 21:10:15 +0200
+
 flightgear (1:2016.4.4+dfsg-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch
--- flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-2016.4.4+dfsg/debian/patches/restrict-save-flightplan-secu-fix-19ab09.patch	2017-05-19 21:06:22.000000000 +0200
@@ -0,0 +1,34 @@
+Description: RouteMgr security: don't allow overwriting arbitrary files.
+ The previous fix 280cd523 (included in 2016.4.4) missed commandSaveFlightPlan
+ This fixes CVE-2017-8921.
+ (cherry picked from commit faf872e7f71ca14c567ac7080561fc785d8d2fd0)
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/19ab09406e4249f2c6f8ac51938258d1c51eace0/
+Author: Florent Rougon
+--- a/src/Autopilot/route_mgr.cxx
++++ b/src/Autopilot/route_mgr.cxx
+@@ -73,8 +73,23 @@
+ static bool commandSaveFlightPlan(const SGPropertyNode* arg)
+ {
+   FGRouteMgr* self = (FGRouteMgr*) globals->get_subsystem("route-manager");
+-  SGPath path(arg->getStringValue("path"));
+-  return self->saveRoute(path);
++  SGPath path = SGPath::fromUtf8(arg->getStringValue("path"));
++  SGPath authorizedPath = fgValidatePath(path, true /* write */);
++
++  if (!authorizedPath.isNull()) {
++    return self->saveRoute(authorizedPath);
++  } else {
++    std::string msg =
++          "The route manager was asked to write the flightplan to '" +
++          path.utf8Str() + "', but this path is not authorized for writing. " +
++          "Please choose another location, for instance in the $FG_HOME/Export "
++          "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++    SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++    modalMessageBox("FlightGear", "Unable to write to the specified file",
++                        msg);
++    return false;
++  }
+ }
+ 
+ static bool commandActivateFlightPlan(const SGPropertyNode* arg)
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/series flightgear-2016.4.4+dfsg/debian/patches/series
--- flightgear-2016.4.4+dfsg/debian/patches/series	2017-01-24 16:49:13.000000000 +0100
+++ flightgear-2016.4.4+dfsg/debian/patches/series	2017-05-19 20:59:56.000000000 +0200
@@ -3,3 +3,4 @@
 spelling_20160920.patch
 spelling_20161121.patch
 relax_version_check.patch
+restrict-save-flightplan-secu-fix-19ab09.patch

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: "Dr. Tobias Quathamer" <toddy@debian.org>, 862996-done@bugs.debian.org
• Subject: Re: Bug#862996: unblock: flightgear/1:2016.4.4+dfsg-3
• From: Niels Thykier <niels@thykier.net>
• Date: Sat, 20 May 2017 06:06:00 +0000
• Message-id: <f52a3522-bf48-20e5-38c1-72e7da71609b@thykier.net>
• In-reply-to: <[🔎] 3109350f-7bbb-ef7e-b629-34a0d1cc6f5b@debian.org>
• References: <[🔎] 3109350f-7bbb-ef7e-b629-34a0d1cc6f5b@debian.org>

Dr. Tobias Quathamer:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package flightgear
> 
> This upload fixes a security RC bug (#862689). The bug is
> tracked as CVE-2017-8921.
> 
> unblock flightgear/1:2016.4.4+dfsg-3
> 
> Regards,
> Tobias

Unblocked, thanks.

~Niels

--- End Message ---