[pkg-fgfs-crew] [flightgear-data] 01/01: Fix #780716, a security issue.

[Markus Wanner]

This is an automated email from the git hooks/post-receive script.

markus_wanner-guest pushed a commit to branch master
in repository flightgear-data.

commit d8603af7f98a6394442818d823a79b680b1f9e8b
Author: Markus Wanner <markus at bluegap.ch>
Date:   Wed Mar 18 11:43:34 2015 +0100

    Fix #780716, a security issue.
    
    Add patch 60da20.patch removing FG_SCENERY from the list of
    allowed directories to disallow nasal scripts from reading any
    file as the user. Finalize 3.0.0-3 for upload to unstable.
---
 debian/changelog            | 10 +++++++++-
 debian/patches/60da20.patch | 21 +++++++++++++++++++++
 debian/patches/series       |  1 +
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index b5286c9..008a1e7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+flightgear-data (3.0.0-3) unstable; urgency=high
+
+  * Add patch 60da20.patch removing FG_SCENERY from the list of
+    allowed directories to disallow nasal scripts from reading any
+    file as the user. Closes: #780716.
+
+ -- Markus Wanner <markus at bluegap.ch>  Wed, 18 Mar 2015 10:43:34 +0100
+
 flightgear-data (3.0.0-2) unstable; urgency=medium
 
   [ Rebecca N. Palmer ]
@@ -6,7 +14,7 @@ flightgear-data (3.0.0-2) unstable; urgency=medium
   [ Markus Wanner ]
   * Add patch translation-update-pt.diff.
 
- -- Markus Wanner <markus at bluegap.ch>  Mon, 27 Oct 2014 10:37:02 +0100
+ -- Markus Wanner <markus at bluegap.ch>  Fri, 07 Nov 2014 17:28:09 +0100
 
 flightgear-data (3.0.0-1) unstable; urgency=low
 
diff --git a/debian/patches/60da20.patch b/debian/patches/60da20.patch
new file mode 100644
index 0000000..66a691a
--- /dev/null
+++ b/debian/patches/60da20.patch
@@ -0,0 +1,21 @@
+Description: Drop FG_SCENERY from the accepted file access list
+ The allowed directories for reading include FG_SCENERY, which can
+ be changed from Nasal via /sim/terrasync/scenery-dir. Effectively
+ allowing a nasal script to access any file with the user's
+ permission.
+Author: Rebecca N. Palmer <rebecca_palmer at zoho.com>
+Last-Update: 13-03-2015
+Origin: http://sourceforge.net/p/flightgear/fgdata/ci/60da2094252cee1a5cdfe737f29becd5c6800549
+
+diff --git a/Nasal/IOrules b/Nasal/IOrules
+index 71d2f67..ddb0189 100644
+--- a/Nasal/IOrules
++++ b/Nasal/IOrules
+@@ -28,7 +28,6 @@
+ READ ALLOW $FG_ROOT/*
+ READ ALLOW $FG_HOME/*
+ READ ALLOW $FG_AIRCRAFT/*
+-READ ALLOW $FG_SCENERY/*
+ 
+ WRITE ALLOW /tmp/*.xml
+ WRITE ALLOW $FG_HOME/*.sav
diff --git a/debian/patches/series b/debian/patches/series
index 6bbe4c9..07e8348 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 766251.patch
 translation-update-pt.diff
+60da20.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/flightgear-data.git