[pkg-fgfs-crew] Bug#848114: flightgear: Allows the route manager to overwrite arbitrary files

Florent Rougon f.rougon at free.fr
Wed Dec 14 08:55:53 UTC 2016


Source: flightgear
Version: 3.0.0-5
Severity: grave
Tags: security upstream fixed-upstream patch
Justification: user security hole

Hello,

As already stated in several places:

  https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
  https://sourceforge.net/p/flightgear/mailman/message/35548661/
  http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/2016-December/001795.html

and reported to people in charge of FlightGear both upstream (of which I am a
recent addition) and in several Linux distributions, the flightgear package
has a security bug allowing malicious Nasal code[1] to overwrite arbitrary
files the user running FlightGear has write access to, by using the property
tree to cause the route manager to save a flightplan.

This problem is, AFAICT, present in all FlightGear versions released after
October 5, 2009, which largely includes those shipped in Debian stable,
testing and unstable. It is however fixed in the upstream Git repository:

  https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

and I have backported this fix to FlightGear 3.0.0, i.e., the version shipped
in jessie: cf. two links given above
(<https://sourceforge.net/p/flightgear/mailman/message/35548661/> and
<http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/2016-December/001795.html>),
the second one being more ready-to-use for Debian since it contains a debdiff
including an additional fix for build failures I encountered while testing the
fix in the jessie package.

Since all parties have already been contacted, this bug report is mainly for
tracking purposes, as advised by
<https://www.debian.org/security/faq#discover>.

I'm attaching here the patch for FlightGear 3.0.0 as well as the mentioned
debdiff for completeness and “self-containedness” of this report. The upstream
fix
(<https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/>)
can certainly be used as is for the version in unstable.

Regards

[1] Which can be embedded in aircraft, which can in their turn be installed by
    users from various third-party sources.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: route-manager-secu-fix-280cd5.patch
Type: text/x-diff
Size: 2153 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/attachments/20161214/490493ea/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flightgear-3.0.0_to_3.0.0-5+deb8u1.debdiff
Type: text/x-diff
Size: 4855 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/attachments/20161214/490493ea/attachment.diff>


More information about the pkg-fgfs-crew mailing list