[pkg-fgfs-crew] [flightgear-data] 01/01: Fix #780716, a security issue.
Markus Wanner
markus_wanner-guest at moszumanska.debian.org
Wed Mar 18 10:44:44 UTC 2015
This is an automated email from the git hooks/post-receive script.
markus_wanner-guest pushed a commit to branch master
in repository flightgear-data.
commit d8603af7f98a6394442818d823a79b680b1f9e8b
Author: Markus Wanner <markus at bluegap.ch>
Date: Wed Mar 18 11:43:34 2015 +0100
Fix #780716, a security issue.
Add patch 60da20.patch removing FG_SCENERY from the list of
allowed directories to disallow nasal scripts from reading any
file as the user. Finalize 3.0.0-3 for upload to unstable.
---
debian/changelog | 10 +++++++++-
debian/patches/60da20.patch | 21 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index b5286c9..008a1e7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+flightgear-data (3.0.0-3) unstable; urgency=high
+
+ * Add patch 60da20.patch removing FG_SCENERY from the list of
+ allowed directories to disallow nasal scripts from reading any
+ file as the user. Closes: #780716.
+
+ -- Markus Wanner <markus at bluegap.ch> Wed, 18 Mar 2015 10:43:34 +0100
+
flightgear-data (3.0.0-2) unstable; urgency=medium
[ Rebecca N. Palmer ]
@@ -6,7 +14,7 @@ flightgear-data (3.0.0-2) unstable; urgency=medium
[ Markus Wanner ]
* Add patch translation-update-pt.diff.
- -- Markus Wanner <markus at bluegap.ch> Mon, 27 Oct 2014 10:37:02 +0100
+ -- Markus Wanner <markus at bluegap.ch> Fri, 07 Nov 2014 17:28:09 +0100
flightgear-data (3.0.0-1) unstable; urgency=low
diff --git a/debian/patches/60da20.patch b/debian/patches/60da20.patch
new file mode 100644
index 0000000..66a691a
--- /dev/null
+++ b/debian/patches/60da20.patch
@@ -0,0 +1,21 @@
+Description: Drop FG_SCENERY from the accepted file access list
+ The allowed directories for reading include FG_SCENERY, which can
+ be changed from Nasal via /sim/terrasync/scenery-dir. Effectively
+ allowing a nasal script to access any file with the user's
+ permission.
+Author: Rebecca N. Palmer <rebecca_palmer at zoho.com>
+Last-Update: 13-03-2015
+Origin: http://sourceforge.net/p/flightgear/fgdata/ci/60da2094252cee1a5cdfe737f29becd5c6800549
+
+diff --git a/Nasal/IOrules b/Nasal/IOrules
+index 71d2f67..ddb0189 100644
+--- a/Nasal/IOrules
++++ b/Nasal/IOrules
+@@ -28,7 +28,6 @@
+ READ ALLOW $FG_ROOT/*
+ READ ALLOW $FG_HOME/*
+ READ ALLOW $FG_AIRCRAFT/*
+-READ ALLOW $FG_SCENERY/*
+
+ WRITE ALLOW /tmp/*.xml
+ WRITE ALLOW $FG_HOME/*.sav
diff --git a/debian/patches/series b/debian/patches/series
index 6bbe4c9..07e8348 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
766251.patch
translation-update-pt.diff
+60da20.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/flightgear-data.git
More information about the pkg-fgfs-crew
mailing list