[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#873877: marked as done (jessie-pu: package flightgear/3.0.0-5+deb8u3)

Your message dated Sat, 09 Dec 2017 10:47:53 +0000
with message-id <1512816473.1994.32.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #873877,
regarding jessie-pu: package flightgear/3.0.0-5+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
873877: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873877
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear Release Team,

here's an update for jessie, fixing #873439 (CVE-2017-13709). It's based
on a patch and debdiff by Florent Rougon. The corresponding stretch-pu
request is #873754.

A bit about the security issue: Malicious add-ons could write arbitrary
user's files, possibly even executable ones. The fix is in two parts,
back-ported to older releases by Florent Rougon.

Please verify the attached debdiff for fixing the issue in jessie with
the next point release.

Kind Regards

Markus Wanner

diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog	2017-07-02 14:39:08.000000000 +0200
+++ flightgear-3.0.0/debian/changelog	2017-08-31 09:09:03.000000000 +0200
@@ -1,3 +1,16 @@
+flightgear (3.0.0-5+deb8u3) jessie; urgency=high
+
+  [ Florent Rougon ]
+  * Add two patches for CVE-2017-13709:
+      - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next
+        patch)
+      - CVE-2017-13709-FGLogger-2a5e3d.patch
+
+  [ Markus Wanner ]
+  * Massage patch meta information to fit DEP-3.
+
+ -- Markus Wanner <markus@bluegap.ch>  Thu, 31 Aug 2017 21:44:41 +0200
+
 flightgear (3.0.0-5+deb8u2) jessie; urgency=high
 
   * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
diff -Nru flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch
--- flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	2017-08-31 08:56:58.000000000 +0200
@@ -0,0 +1,54 @@
+Description: Call fgInitAllowedPaths earlier: after Options::processOptions
+ Call fgInitAllowedPaths() right after Options::processOptions() (which,
+ among other things, determines $FG_ROOT and processes
+ --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+ more code, such as when initializing subsystems.
+ .
+ (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+Forwarded: not-needed
+Author: Florent Rougon <f.rougon@free.fr>
+
+--- a/src/Main/fg_init.cxx
++++ b/src/Main/fg_init.cxx
+@@ -1023,7 +1023,12 @@
+     fgGetNode("/sim")->removeChild("aircraft-dir");
+     fgInitAircraft(true);
+     flightgear::Options::sharedInstance()->processOptions();
+-    
++
++    // Rebuild the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     render = new FGRenderer;
+     render->setEventHandler(eventHandler);
+     globals->set_renderer(render);
+--- a/src/Main/main.cxx
++++ b/src/Main/main.cxx
+@@ -461,7 +461,12 @@
+     } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+         return EXIT_SUCCESS;
+     }
+-    
++
++    // Set the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // Initialize the Window/Graphics environment.
+     fgOSInit(&argc, argv);
+     _bootstrap_OSInit++;
+--- a/src/Scripting/NasalSys.cxx
++++ b/src/Scripting/NasalSys.cxx
+@@ -800,9 +800,6 @@
+       .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+       .member("isRunning", &TimerObj::isRunning);
+ 
+-    // Set allowed paths for Nasal I/O
+-    fgInitAllowedPaths();
+-    
+     // Now load the various source files in the Nasal directory
+     simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+     loadScriptDirectory(nasalDir);
diff -Nru flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch
--- flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	2017-08-31 08:57:36.000000000 +0200
@@ -0,0 +1,68 @@
+Description: Security: don't allow FGLogger to overwrite arbitrary files
+ Since the paths of files written by FGLogger come from the property
+ tree[1], they must be validated before we decide to write to these
+ files.
+ .
+ [1] Except for the "empty" case, which uses the default name
+ 'fg_log.csv'.
+ .
+ This fixes CVE-2017-13709.
+ .
+ (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+Forwarded: not-needed
+Author: Florent Rougon <f.rougon@free.fr>
+
+--- a/src/Main/logger.cxx
++++ b/src/Main/logger.cxx
+@@ -11,10 +11,14 @@
+ 
+ #include <fstream>
+ #include <string>
++#include <cstdlib>
+ 
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::endl;
+@@ -55,6 +59,26 @@
+         child->setStringValue("filename", filename.c_str());
+     }
+ 
++    // Security: the path comes from the global Property Tree; it *must* be
++    //           validated before we overwrite the file.
++    const string authorizedPath = fgValidatePath(filename,
++                                                 true /* write */);
++
++    if (authorizedPath.empty()) {
++      const string propertyPath = child->getChild("filename")
++                                       ->getPath(true /* simplify */);
++      const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++      const string msg =
++        "The FGLogger logging system, via the '" + propertyPath + "' property, "
++        "was asked to write to '" + filename + "', however this path is not "
++        "authorized for writing anymore for security reasons. " +
++        "Please choose another location, for instance in the $FG_HOME/Export "
++        "folder (" + proposedPath.str() + ").";
++
++      SG_LOG(SG_GENERAL, SG_ALERT, msg);
++      exit(EXIT_FAILURE);
++    }
++
+     string delimiter = child->getStringValue("delimiter");
+     if (delimiter.empty()) {
+         delimiter = ",";
+@@ -64,7 +88,8 @@
+     log.interval_ms = child->getLongValue("interval-ms");
+     log.last_time_ms = globals->get_sim_time_sec() * 1000;
+     log.delimiter = delimiter.c_str()[0];
+-    log.output = new std::ofstream(filename.c_str());
++    // Security: use the return value of fgValidatePath()
++    log.output = new std::ofstream(authorizedPath.c_str());
+     if (!log.output) {
+       SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+       continue;
diff -Nru flightgear-3.0.0/debian/patches/series flightgear-3.0.0/debian/patches/series
--- flightgear-3.0.0/debian/patches/series	2017-07-02 14:39:08.000000000 +0200
+++ flightgear-3.0.0/debian/patches/series	2017-08-31 08:54:12.000000000 +0200
@@ -6,3 +6,6 @@
 route-manager-secu-fix-280cd5.patch
 fix-missing-lX11-in-link-commands.patch
 restrict-save-flightplan-secu-fix-faf872.patch
+# Required for CVE-2017-13709-FGLogger-2a5e3d.patch
+call-fgInitAllowedPaths-earlier-c7a2ae.patch
+CVE-2017-13709-FGLogger-2a5e3d.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: