Bug#873877: jessie-pu: package flightgear/3.0.0-5+deb8u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#873877: jessie-pu: package flightgear/3.0.0-5+deb8u3
From: Markus Wanner <markus@bluegap.ch>
Date: Thu, 31 Aug 2017 21:55:31 +0200
Message-id: <[🔎] 60d3e44e-1dae-e191-7d1d-e668890007b6@bluegap.ch>
Reply-to: Markus Wanner <markus@bluegap.ch>, 873877@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear Release Team,

here's an update for jessie, fixing #873439 (CVE-2017-13709). It's based
on a patch and debdiff by Florent Rougon. The corresponding stretch-pu
request is #873754.

A bit about the security issue: Malicious add-ons could write arbitrary
user's files, possibly even executable ones. The fix is in two parts,
back-ported to older releases by Florent Rougon.

Please verify the attached debdiff for fixing the issue in jessie with
the next point release.

Kind Regards

Markus Wanner

diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog	2017-07-02 14:39:08.000000000 +0200
+++ flightgear-3.0.0/debian/changelog	2017-08-31 09:09:03.000000000 +0200
@@ -1,3 +1,16 @@
+flightgear (3.0.0-5+deb8u3) jessie; urgency=high
+
+  [ Florent Rougon ]
+  * Add two patches for CVE-2017-13709:
+      - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next
+        patch)
+      - CVE-2017-13709-FGLogger-2a5e3d.patch
+
+  [ Markus Wanner ]
+  * Massage patch meta information to fit DEP-3.
+
+ -- Markus Wanner <markus@bluegap.ch>  Thu, 31 Aug 2017 21:44:41 +0200
+
 flightgear (3.0.0-5+deb8u2) jessie; urgency=high
 
   * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
diff -Nru flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch
--- flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	2017-08-31 08:56:58.000000000 +0200
@@ -0,0 +1,54 @@
+Description: Call fgInitAllowedPaths earlier: after Options::processOptions
+ Call fgInitAllowedPaths() right after Options::processOptions() (which,
+ among other things, determines $FG_ROOT and processes
+ --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+ more code, such as when initializing subsystems.
+ .
+ (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+Forwarded: not-needed
+Author: Florent Rougon <f.rougon@free.fr>
+
+--- a/src/Main/fg_init.cxx
++++ b/src/Main/fg_init.cxx
+@@ -1023,7 +1023,12 @@
+     fgGetNode("/sim")->removeChild("aircraft-dir");
+     fgInitAircraft(true);
+     flightgear::Options::sharedInstance()->processOptions();
+-    
++
++    // Rebuild the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     render = new FGRenderer;
+     render->setEventHandler(eventHandler);
+     globals->set_renderer(render);
+--- a/src/Main/main.cxx
++++ b/src/Main/main.cxx
+@@ -461,7 +461,12 @@
+     } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+         return EXIT_SUCCESS;
+     }
+-    
++
++    // Set the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // Initialize the Window/Graphics environment.
+     fgOSInit(&argc, argv);
+     _bootstrap_OSInit++;
+--- a/src/Scripting/NasalSys.cxx
++++ b/src/Scripting/NasalSys.cxx
+@@ -800,9 +800,6 @@
+       .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+       .member("isRunning", &TimerObj::isRunning);
+ 
+-    // Set allowed paths for Nasal I/O
+-    fgInitAllowedPaths();
+-    
+     // Now load the various source files in the Nasal directory
+     simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+     loadScriptDirectory(nasalDir);
diff -Nru flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch
--- flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	2017-08-31 08:57:36.000000000 +0200
@@ -0,0 +1,68 @@
+Description: Security: don't allow FGLogger to overwrite arbitrary files
+ Since the paths of files written by FGLogger come from the property
+ tree[1], they must be validated before we decide to write to these
+ files.
+ .
+ [1] Except for the "empty" case, which uses the default name
+ 'fg_log.csv'.
+ .
+ This fixes CVE-2017-13709.
+ .
+ (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+Forwarded: not-needed
+Author: Florent Rougon <f.rougon@free.fr>
+
+--- a/src/Main/logger.cxx
++++ b/src/Main/logger.cxx
+@@ -11,10 +11,14 @@
+ 
+ #include <fstream>
+ #include <string>
++#include <cstdlib>
+ 
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::endl;
+@@ -55,6 +59,26 @@
+         child->setStringValue("filename", filename.c_str());
+     }
+ 
++    // Security: the path comes from the global Property Tree; it *must* be
++    //           validated before we overwrite the file.
++    const string authorizedPath = fgValidatePath(filename,
++                                                 true /* write */);
++
++    if (authorizedPath.empty()) {
++      const string propertyPath = child->getChild("filename")
++                                       ->getPath(true /* simplify */);
++      const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++      const string msg =
++        "The FGLogger logging system, via the '" + propertyPath + "' property, "
++        "was asked to write to '" + filename + "', however this path is not "
++        "authorized for writing anymore for security reasons. " +
++        "Please choose another location, for instance in the $FG_HOME/Export "
++        "folder (" + proposedPath.str() + ").";
++
++      SG_LOG(SG_GENERAL, SG_ALERT, msg);
++      exit(EXIT_FAILURE);
++    }
++
+     string delimiter = child->getStringValue("delimiter");
+     if (delimiter.empty()) {
+         delimiter = ",";
+@@ -64,7 +88,8 @@
+     log.interval_ms = child->getLongValue("interval-ms");
+     log.last_time_ms = globals->get_sim_time_sec() * 1000;
+     log.delimiter = delimiter.c_str()[0];
+-    log.output = new std::ofstream(filename.c_str());
++    // Security: use the return value of fgValidatePath()
++    log.output = new std::ofstream(authorizedPath.c_str());
+     if (!log.output) {
+       SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+       continue;
diff -Nru flightgear-3.0.0/debian/patches/series flightgear-3.0.0/debian/patches/series
--- flightgear-3.0.0/debian/patches/series	2017-07-02 14:39:08.000000000 +0200
+++ flightgear-3.0.0/debian/patches/series	2017-08-31 08:54:12.000000000 +0200
@@ -6,3 +6,6 @@
 route-manager-secu-fix-280cd5.patch
 fix-missing-lX11-in-link-commands.patch
 restrict-save-flightplan-secu-fix-faf872.patch
+# Required for CVE-2017-13709-FGLogger-2a5e3d.patch
+call-fgInitAllowedPaths-earlier-c7a2ae.patch
+CVE-2017-13709-FGLogger-2a5e3d.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Prev by Date: Bug#873855: unblock: libgcrypt20/1.7.9-1
Next by Date: Bug#873754: stretch-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1
Previous by thread: Bug#873855: unblock: libgcrypt20/1.7.9-1
Index(es):
- Date
- Thread