[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#873754: marked as done (stretch-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1)

Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <1512816396.1994.30.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #873754,
regarding stretch-pu: package flightgear/1:2016.4.4+dfsg-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
873754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873754
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear Release Team,

yet another security fix for flightgear, that's not worth a DSA
according to Salvatore Bonaccorso.

A bit about the security issue: Malicious add-ons could write arbitrary
user's files, possibly even executable ones. The fix is in two parts,
back-ported to older releases by Florent Rougon.

Please verify the attached debdiff for fixing the issue in stretch with
the next point release.

Kind Regards

Markus Wanner


diff -Nru flightgear-2016.4.4+dfsg/debian/changelog flightgear-2016.4.4+dfsg/debian/changelog
--- flightgear-2016.4.4+dfsg/debian/changelog	2017-05-19 19:10:15.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/changelog	2017-08-30 16:06:14.000000000 +0000
@@ -1,3 +1,12 @@
+flightgear (1:2016.4.4+dfsg-3+deb9u1) stable; urgency=medium
+
+  * Add patches init-allowed-paths-earlier-secu-fix-f372d7.patch and
+    prevent-arbitrary-file-writes-secu-fix-58d8e1.patch: prevent
+    malicious add-ons from overriding arbitrary files.
+    Closes: #873439 (CVE-2017-13709)
+
+ -- Markus Wanner <markus@bluegap.ch>  Wed, 30 Aug 2017 18:06:14 +0200
+
 flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch
--- flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch	1970-01-01 00:00:00.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/init-allowed-paths-earlier-secu-fix-f372d7.patch	2017-08-30 07:03:19.000000000 +0000
@@ -0,0 +1,62 @@
+Description: Call fgInitAllowedPaths earlier: after Options::processOptions
+ Call fgInitAllowedPaths() right after Options::processOptions() (which,
+ among other things, determines $FG_ROOT and processes
+ --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+ more code, such as when initializing subsystems.
+ .
+ (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+ .
+ In preparation for the real security fix following this commit.
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/f372d7548ad7114aed14135dcc566ea326c24beb/
+Author: Florent Rougon
+
+diff --git a/src/Main/fg_init.cxx b/src/Main/fg_init.cxx
+index ea9d9b5ef..47987a363 100644
+--- a/src/Main/fg_init.cxx
++++ b/src/Main/fg_init.cxx
+@@ -1070,7 +1070,12 @@ void fgStartNewReset()
+     fgInitGeneral(); // all of this?
+     
+     flightgear::Options::sharedInstance()->processOptions();
+-    
++
++    // Rebuild the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // PRESERVED properties over-write state from options, intentionally
+     if ( copyProperties(preserved, globals->get_props()) ) {
+         SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully" );
+diff --git a/src/Main/main.cxx b/src/Main/main.cxx
+index bed7e2954..fd2fb575c 100644
+--- a/src/Main/main.cxx
++++ b/src/Main/main.cxx
+@@ -515,7 +515,12 @@ int fgMainInit( int argc, char **argv )
+     } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+         return EXIT_SUCCESS;
+     }
+-    
++
++    // Set the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // Initialize the Window/Graphics environment.
+     fgOSInit(&argc, argv);
+     _bootstrap_OSInit++;
+diff --git a/src/Scripting/NasalSys.cxx b/src/Scripting/NasalSys.cxx
+index 1002b08dc..6c6fa1b48 100644
+--- a/src/Scripting/NasalSys.cxx
++++ b/src/Scripting/NasalSys.cxx
+@@ -886,9 +886,6 @@ void FGNasalSys::init()
+       .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+       .member("isRunning", &TimerObj::isRunning);
+ 
+-    // Set allowed paths for Nasal I/O
+-    fgInitAllowedPaths();
+-    
+     // Now load the various source files in the Nasal directory
+     simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+     loadScriptDirectory(nasalDir);
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch
--- flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch	1970-01-01 00:00:00.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/prevent-arbitrary-file-writes-secu-fix-58d8e1.patch	2017-08-30 07:04:40.000000000 +0000
@@ -0,0 +1,96 @@
+Description: Security: don't allow FGLogger to overwrite arbitrary files
+ Since the paths of files written by FGLogger come from the property
+ tree[1], they must be validated before we decide to write to these
+ files.
+ .
+ [1] Except for the "empty" case, which uses the default name
+ 'fg_log.csv'.
+ .
+ (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/
+Author: Florent Rougon
+
+diff --git a/src/Main/logger.cxx b/src/Main/logger.cxx
+index 6c18162c3..32ec850a1 100644
+--- a/src/Main/logger.cxx
++++ b/src/Main/logger.cxx
+@@ -9,12 +9,17 @@
+ 
+ #include "logger.hxx"
+ 
+-#include <fstream>
++#include <ios>
+ #include <string>
++#include <cstdlib>
+ 
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/misc/sgstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::endl;
+@@ -59,6 +64,25 @@ FGLogger::init ()
+         child->setStringValue("filename", filename.c_str());
+     }
+ 
++    // Security: the path comes from the global Property Tree; it *must* be
++    //           validated before we overwrite the file.
++    const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename),
++                                                 /* write */ true);
++
++    if (authorizedPath.isNull()) {
++      const string propertyPath = child->getChild("filename")
++                                       ->getPath(/* simplify */ true);
++      const string msg =
++        "The FGLogger logging system, via the '" + propertyPath + "' property, "
++        "was asked to write to '" + filename + "', however this path is not "
++        "authorized for writing anymore for security reasons. " +
++        "Please choose another location, for instance in the $FG_HOME/Export "
++        "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++      SG_LOG(SG_GENERAL, SG_ALERT, msg);
++      exit(EXIT_FAILURE);
++    }
++
+     string delimiter = child->getStringValue("delimiter");
+     if (delimiter.empty()) {
+         delimiter = ",";
+@@ -68,7 +92,8 @@ FGLogger::init ()
+     log.interval_ms = child->getLongValue("interval-ms");
+     log.last_time_ms = globals->get_sim_time_sec() * 1000;
+     log.delimiter = delimiter.c_str()[0];
+-    log.output = new std::ofstream(filename.c_str());
++    // Security: use the return value of fgValidatePath()
++    log.output = new sg_ofstream(authorizedPath, std::ios_base::out);
+     if (!log.output) {
+       SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+       continue;
+diff --git a/src/Main/logger.hxx b/src/Main/logger.hxx
+index 3d2146a83..0d2b80154 100644
+--- a/src/Main/logger.hxx
++++ b/src/Main/logger.hxx
+@@ -6,10 +6,10 @@
+ #ifndef __LOGGER_HXX
+ #define __LOGGER_HXX 1
+ 
+-#include <iosfwd>
+ #include <vector>
+ 
+ #include <simgear/compiler.h>
++#include <simgear/misc/sgstream.hxx>
+ #include <simgear/structure/subsystem_mgr.hxx>
+ #include <simgear/props/props.hxx>
+ 
+@@ -39,7 +39,7 @@ private:
+     Log ();
+     virtual ~Log ();
+     std::vector<SGPropertyNode_ptr> nodes;
+-    std::ostream * output;
++    sg_ofstream * output;
+     long interval_ms;
+     double last_time_ms;
+     char delimiter;
diff -Nru flightgear-2016.4.4+dfsg/debian/patches/series flightgear-2016.4.4+dfsg/debian/patches/series
--- flightgear-2016.4.4+dfsg/debian/patches/series	2017-05-19 18:59:56.000000000 +0000
+++ flightgear-2016.4.4+dfsg/debian/patches/series	2017-08-30 06:26:41.000000000 +0000
@@ -4,3 +4,5 @@
 spelling_20161121.patch
 relax_version_check.patch
 restrict-save-flightplan-secu-fix-19ab09.patch
+init-allowed-paths-earlier-secu-fix-f372d7.patch
+prevent-arbitrary-file-writes-secu-fix-58d8e1.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: