[pkg-fgfs-crew] Security fix for FlightGear

Rebecca N. Palmer rebecca_palmer at zoho.com
Wed May 17 17:40:33 UTC 2017

While we're on the subject, the *Repository fix (see below) never got 
applied in jessie (it's already included upstream in stretch/sid), and 
is a worse problem in that it allows arbitrary code execution.

I'll look into writing an actual patch for that.

-------- Forwarded Message --------
Subject: Re: Another security fix for FlightGear
Date: Fri, 16 Dec 2016 22:40:24 +0000
From: Rebecca N. Palmer <rebecca_palmer at zoho.com>
To: chris at ilovelinux.de, Mathias.Homann at opensuse.org, 
fabrice at bellet.info, martymac at FreeBSD.org, arch at sergej.pp.ru, Markus 
Wanner <markus at bluegap.ch>, Saikrishna Arcot <saiarcot895 at gmail.com>

On 15/12/16 23:03, Rebecca N. Palmer wrote:
 > Its [pre-2016.x] predecessor SVNRepository
 > is sufficiently different that I can't immediately tell whether it has
 > an equivalent vulnerability.

Unfortunately it probably does: downloaded XML -> attrs -> 
fileName/dirName -> currentPath at
, unsanitised currentPath used as a file name at

A similar "reject .. and slashes" fix could be applied to 
fileName/dirName, immediately after each of the 5(?) places where it is set.

This code will soon cease to be useful, as upstream plan to stop 
offering SVN Terrasync early in 2017 
(https://sourceforge.net/p/flightgear/mailman/message/35554823/), but I 
suspect disabling it would be more work than the above fix.

More information about the pkg-fgfs-crew mailing list