[pkg-fgfs-crew] Security fix for FlightGear
Rebecca N. Palmer
rebecca_palmer at zoho.com
Wed May 17 17:40:33 UTC 2017
While we're on the subject, the *Repository fix (see below) never got
applied in jessie (it's already included upstream in stretch/sid), and
is a worse problem in that it allows arbitrary code execution.
I'll look into writing an actual patch for that.
-------- Forwarded Message --------
Subject: Re: Another security fix for FlightGear
Date: Fri, 16 Dec 2016 22:40:24 +0000
From: Rebecca N. Palmer <rebecca_palmer at zoho.com>
To: chris at ilovelinux.de, Mathias.Homann at opensuse.org,
fabrice at bellet.info, martymac at FreeBSD.org, arch at sergej.pp.ru, Markus
Wanner <markus at bluegap.ch>, Saikrishna Arcot <saiarcot895 at gmail.com>
On 15/12/16 23:03, Rebecca N. Palmer wrote:
> Its [pre-2016.x] predecessor SVNRepository
> is sufficiently different that I can't immediately tell whether it has
> an equivalent vulnerability.
Unfortunately it probably does: downloaded XML -> attrs ->
fileName/dirName -> currentPath at
https://sources.debian.net/src/simgear/3.0.0-6/simgear/io/SVNReportParser.cxx/#L259
, unsanitised currentPath used as a file name at
https://sources.debian.net/src/simgear/3.0.0-6/simgear/io/SVNReportParser.cxx/#L397
A similar "reject .. and slashes" fix could be applied to
fileName/dirName, immediately after each of the 5(?) places where it is set.
This code will soon cease to be useful, as upstream plan to stop
offering SVN Terrasync early in 2017
(https://sourceforge.net/p/flightgear/mailman/message/35554823/), but I
suspect disabling it would be more work than the above fix.
More information about the pkg-fgfs-crew
mailing list