Bug#873754: jessie-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1

To: submit@bugs.debian.org
Subject: Bug#873754: jessie-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1
From: Markus Wanner <markus@bluegap.ch>
Date: Wed, 30 Aug 2017 19:31:03 +0200
Message-id: <[🔎] 39bc8885-b3c6-a992-21f7-28bbb48e6ff6@bluegap.ch>
Reply-to: Markus Wanner <markus@bluegap.ch>, 873754@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear Release Team,

yet another security fix for flightgear, that's not worth a DSA
according to Salvatore Bonaccorso.

A bit about the security issue: Malicious add-ons could write arbitrary
user's files, possibly even executable ones. The fix is in two parts,
back-ported to older releases by Florent Rougon.

Please verify the attached debdiff for fixing the issue in stretch with
the next point release.

Kind Regards

Markus Wanner

diff -Nru flightgear-2016.4.4+dfsg/debian/changelog flightgear-2016.4.4+dfsg/debian/changelog
--- flightgear-2016.4.4+dfsg/debian/changelog	2017-05-19 19:10:15.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/changelog	2017-08-30 16:06:14.000000000 +0000
@@ -1,3 +1,12 @@
+flightgear (1:2016.4.4+dfsg-3+deb9u1) stable; urgency=medium
+
+  * Add patches init-allowed-paths-earlier-secu-fix-f372d7.patch and
+    prevent-arbitrary-file-writes-secu-fix-58d8e1.patch: prevent
+    malicious add-ons from overriding arbitrary files.
+    Closes: #873439 (CVE-2017-13709)
+
+ -- Markus Wanner <markus@bluegap.ch>  Wed, 30 Aug 2017 18:06:14 +0200
+
 flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
--- flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch	1970-01-01 00:00:00.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch	2017-08-30 07:03:19.000000000 +0000
@@ -0,0 +1,62 @@
+Description: Call fgInitAllowedPaths earlier: after Options::processOptions
+ Call fgInitAllowedPaths() right after Options::processOptions() (which,
+ among other things, determines $FG_ROOT and processes
+ --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+ more code, such as when initializing subsystems.
+ .
+ (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+ .
+ In preparation for the real security fix following this commit.
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/f372d7548ad7114aed14135dcc566ea326c24beb/
+Author: Florent Rougon
+
+diff --git a/src/Main/fg_init.cxx b/src/Main/fg_init.cxx
+index ea9d9b5ef..47987a363 100644
+--- a/src/Main/fg_init.cxx
++++ b/src/Main/fg_init.cxx
+@@ -1070,7 +1070,12 @@ void fgStartNewReset()
+     fgInitGeneral(); // all of this?
+     
+     flightgear::Options::sharedInstance()->processOptions();
+-    
++
++    // Rebuild the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // PRESERVED properties over-write state from options, intentionally
+     if ( copyProperties(preserved, globals->get_props()) ) {
+         SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully" );
+diff --git a/src/Main/main.cxx b/src/Main/main.cxx
+index bed7e2954..fd2fb575c 100644
+--- a/src/Main/main.cxx
++++ b/src/Main/main.cxx
+@@ -515,7 +515,12 @@ int fgMainInit( int argc, char **argv )
+     } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+         return EXIT_SUCCESS;
+     }
+-    
++
++    // Set the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // Initialize the Window/Graphics environment.
+     fgOSInit(&argc, argv);
+     _bootstrap_OSInit++;
+diff --git a/src/Scripting/NasalSys.cxx b/src/Scripting/NasalSys.cxx
+index 1002b08dc..6c6fa1b48 100644
+--- a/src/Scripting/NasalSys.cxx
++++ b/src/Scripting/NasalSys.cxx
+@@ -886,9 +886,6 @@ void FGNasalSys::init()
+       .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+       .member("isRunning", &TimerObj::isRunning);
+ 
+-    // Set allowed paths for Nasal I/O
+-    fgInitAllowedPaths();
+-    
+     // Now load the various source files in the Nasal directory
+     simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+     loadScriptDirectory(nasalDir);
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
--- flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch	1970-01-01 00:00:00.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch	2017-08-30 07:04:40.000000000 +0000
@@ -0,0 +1,96 @@
+Description: Security: don't allow FGLogger to overwrite arbitrary files
+ Since the paths of files written by FGLogger come from the property
+ tree[1], they must be validated before we decide to write to these
+ files.
+ .
+ [1] Except for the "empty" case, which uses the default name
+ 'fg_log.csv'.
+ .
+ (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/
+Author: Florent Rougon
+
+diff --git a/src/Main/logger.cxx b/src/Main/logger.cxx
+index 6c18162c3..32ec850a1 100644
+--- a/src/Main/logger.cxx
++++ b/src/Main/logger.cxx
+@@ -9,12 +9,17 @@
+ 
+ #include "logger.hxx"
+ 
+-#include <fstream>
++#include <ios>
+ #include <string>
++#include <cstdlib>
+ 
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/misc/sgstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::endl;
+@@ -59,6 +64,25 @@ FGLogger::init ()
+         child->setStringValue("filename", filename.c_str());
+     }
+ 
++    // Security: the path comes from the global Property Tree; it *must* be
++    //           validated before we overwrite the file.
++    const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename),
++                                                 /* write */ true);
++
++    if (authorizedPath.isNull()) {
++      const string propertyPath = child->getChild("filename")
++                                       ->getPath(/* simplify */ true);
++      const string msg =
++        "The FGLogger logging system, via the '" + propertyPath + "' property, "
++        "was asked to write to '" + filename + "', however this path is not "
++        "authorized for writing anymore for security reasons. " +
++        "Please choose another location, for instance in the $FG_HOME/Export "
++        "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++      SG_LOG(SG_GENERAL, SG_ALERT, msg);
++      exit(EXIT_FAILURE);
++    }
++
+     string delimiter = child->getStringValue("delimiter");
+     if (delimiter.empty()) {
+         delimiter = ",";
+@@ -68,7 +92,8 @@ FGLogger::init ()
+     log.interval_ms = child->getLongValue("interval-ms");
+     log.last_time_ms = globals->get_sim_time_sec() * 1000;
+     log.delimiter = delimiter.c_str()[0];
+-    log.output = new std::ofstream(filename.c_str());
++    // Security: use the return value of fgValidatePath()
++    log.output = new sg_ofstream(authorizedPath, std::ios_base::out);
+     if (!log.output) {
+       SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+       continue;
+diff --git a/src/Main/logger.hxx b/src/Main/logger.hxx
+index 3d2146a83..0d2b80154 100644
+--- a/src/Main/logger.hxx
++++ b/src/Main/logger.hxx
+@@ -6,10 +6,10 @@
+ #ifndef __LOGGER_HXX
+ #define __LOGGER_HXX 1
+ 
+-#include <iosfwd>
+ #include <vector>
+ 
+ #include <simgear/compiler.h>
++#include <simgear/misc/sgstream.hxx>
+ #include <simgear/structure/subsystem_mgr.hxx>
+ #include <simgear/props/props.hxx>
+ 
+@@ -39,7 +39,7 @@ private:
+     Log ();
+     virtual ~Log ();
+     std::vector<SGPropertyNode_ptr> nodes;
+-    std::ostream * output;
++    sg_ofstream * output;
+     long interval_ms;
+     double last_time_ms;
+     char delimiter;
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/series flightgear-2016.4.4+dfsg/debian/patches/series
--- flightgear-2016.4.4+dfsg/debian/patches/series	2017-05-19 18:59:56.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/series	2017-08-30 06:26:41.000000000 +0000
@@ -4,3 +4,5 @@
 spelling_20161121.patch
 relax_version_check.patch
 restrict-save-flightplan-secu-fix-19ab09.patch
+init-allowed-paths-earlier-secu-fix-f372d7.patch
+prevent-arbitrary-file-writes-secu-fix-58d8e1.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#873754: stretch-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1
  - From: Markus Wanner <markus@bluegap.ch>

Prev by Date: Bug#849505: transition: nodejs
Next by Date: Re: texstudio: building against qt4 instead of qt5 for stretch
Previous by thread: Processed: block 873160 with 873673
Next by thread: Bug#873754: stretch-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1
Index(es):
- Date
- Thread