[pkg-fgfs-crew] Bug#780716: flightgear-data: nasal scripts can ready any file
Markus Wanner
markus at bluegap.ch
Wed Mar 18 09:43:17 UTC 2015
Package: flightgear-data
Version: 3.0.0-1
Severity: grave
Tags: security
Upstream has reported two related security issues in how FlightGear
restricts what files Nasal (its built-in scripting language for
aircraft) can access.
This bug is tracking the portion related to the flightgear-data package.
-The allowed directories for reading include FG_SCENERY, which can be
changed from Nasal via /sim/terrasync/scenery-dir.
Effect: Can read any file as the user.
Fix: fgdata 60da2094252cee1a5cdfe737f29becd5c6800549
Regards
Markus Wanner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1513 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/attachments/20150318/48bdb29e/attachment.sig>
More information about the pkg-fgfs-crew
mailing list