flightgear: CVE-2017-13709: Incorrect access control

Debian Bug report logs - #873439
flightgear: CVE-2017-13709: Incorrect access control

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: flightgear: CVE-2017-13709: Incorrect access control

Date: Sun, 27 Aug 2017 20:10:45 +0200

Source: flightgear
Version: 1:2017.2.1+dfsg-3
Severity: grave
Tags: upstream security

Hi,

the following vulnerability was published for flightgear.

CVE-2017-13709[0]:
| In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger
| subsystem allows one to overwrite any file via a resource that affects
| the contents of the global Property Tree.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-13709
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13709
[1] http://www.openwall.com/lists/oss-security/2017/08/27/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 873439@bugs.debian.org (full text, mbox, reply):

From: Florent Rougon <f.rougon@free.fr>

To: 873439@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: [pkg-fgfs-crew] Bug#873439: flightgear: CVE-2017-13709: Incorrect access control

Date: Mon, 28 Aug 2017 20:26:42 +0200

[Message part 1 (text/plain, inline)]

Hi,

For stretch, the last two commits of upstream branch release/2016.4:

  https://sourceforge.net/p/flightgear/flightgear/ci/release/2016.4/~/tree/

should do the job (as already said in other mails, and ditto for
unstable with the release/2017.2 branch).

For jessie (it's also affected), I successfully built FG in a
jessie-amd64 pbuilder chroot with the attached source debdiff. You'll
certainly want to make the patch headers DEP-3-compliant and arrange
debian/changelog (at least the version number), but the C++ side should
be fine with these changes. I only tested the build in this old version:
no runtime test, but I don't expect any particular problem. :)

Regards

-- 
Florent

[CVE-2017-13709_jessie.debdiff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 873439-close@bugs.debian.org (full text, mbox, reply):

From: Markus Wanner <markus@bluegap.ch>

To: 873439-close@bugs.debian.org

Subject: Bug#873439: fixed in flightgear 1:2017.2.1+dfsg-4

Date: Thu, 31 Aug 2017 06:19:47 +0000

Source: flightgear
Source-Version: 1:2017.2.1+dfsg-4

We believe that the bug you reported is fixed in the latest version of
flightgear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Wanner <markus@bluegap.ch> (supplier of updated flightgear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 31 Aug 2017 06:46:33 +0200
Source: flightgear
Binary: flightgear
Architecture: source
Version: 1:2017.2.1+dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Debian FlightGear Crew <pkg-fgfs-crew@lists.alioth.debian.org>
Changed-By: Markus Wanner <markus@bluegap.ch>
Description:
 flightgear - Flight Gear Flight Simulator
Closes: 873439
Changes:
 flightgear (1:2017.2.1+dfsg-4) unstable; urgency=high
 .
   * Add patches init-allowed-paths-earlier-secu-fix-c004ea.patch
     and prevent-arbitrary-file-writes-secu-fix-79e3bc.patch:
     prevent malicious add-ons fro moverriding arbitrary files.
     Closes: #873439 (CVE-2017-13709)
Checksums-Sha1:
 47c10f52ce924a6d71a0a7b5760b7204b0d49f87 3427 flightgear_2017.2.1+dfsg-4.dsc
 eab1fd9bfe360702f9e83cd493a730cdea091a7b 29364 flightgear_2017.2.1+dfsg-4.debian.tar.xz
Checksums-Sha256:
 80226b12849f9d9a2004e9df73ddb43012f1614bd480c3d38fa67ca01231965f 3427 flightgear_2017.2.1+dfsg-4.dsc
 a7d7b372eeed41d2a465b4c795e95fc4c9e7f6ed127d381426ad1250c8b85259 29364 flightgear_2017.2.1+dfsg-4.debian.tar.xz
Files:
 656cef1bb1ac2711d6c378271cdd4a2c 3427 games extra flightgear_2017.2.1+dfsg-4.dsc
 16483f06df893c1f196a982df83dddd0 29364 games extra flightgear_2017.2.1+dfsg-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCAAdFiEE7WdiNgeE4zHiUwPWAlr+layd8xsFAlmnolwACgkQAlr+layd
8xtU9SAAiJSUt+L26IZoQ35hIILVUanrry0+QHZ9rABHFxGLS1p1MRTj2BgMms+r
Ug5OZq1o33xoO1PNDqTe52kg/tVM0H7qhTkRGKfPXKn0jxvWcZGvAi5w0cemJqnr
Qwu+O6XUj7NmHi3yBYFv/IZQTNFtXE82Bo6Rsr8vXl9Ub3/qZwyWlbftD+EWdn+j
YJavg5/9W5vCX2Wp6h4xqVzxH1N7mxoJ6OW+7kfc4mtS+0T0dJ2u/l42rTSBjaTb
cz+9r7tvCfSPwZ2W/TpA+06EcZKF9KrQulNxsu373no5CvmKiv0V62GegryvNAqB
BkKdS8V8B4CEsseymp1HfVZ3I2AMKOuBZWWQMXcbjMqacAxTkuyWCRRaLOf8OcUz
PT58e4hfS01MUooaLUq3pf+bKREvmS3BFQZC6Ju2jKqQNaKHa/j1Rq/1sZVYr22a
Z4tlATWGMfdumEEdDu0DWKIlufehwHxc/rdlrhdp5aU06LmWdnAHQ8Mo+Rwk7EgD
TiyocBJpp1aB+EycU8C6reL1XJjZ4eMiUDSniOkANCcM4Y+saxdIgbCW0prvFymc
giUPkPMmV8EN0J5YkL3JlsiivsZ3S9to7BcyviitKZjyAvkGB7yPAO6gwzWNFqnc
4cq8j9/IxZN879C5La0TcPoDwy5cXGy72emKyJEPL/X1CGkZ0GOHWT9lSUuAYE4g
H3zLAn87S02IuC4MSud//xVSaB9fshhW+9bRA+EnJaleg80K7pmdIB859yxHplgq
RQeSHnGTm/2V5YOKEblNjwa/gX+grSu6WINWbFKwQrZOIBZd/r1sGDuuZx6lAB2l
gaTXJR8+ZSjXPc3WOPmY6q0SGrpUplij0zOjy6SpfZhQwwmfbrQovEJT8Nvx7eiQ
A5NX1J0SFvCu5EEiujI7tiQGPxPGdX36OFPLH9egfYJGYtMirfCWkyY0k32biZzb
gIYnuq0SrW3G7xA9gunzWvbUypmmoF7N83WJE3fLWjTjLpbVw9VhnpPoMaX31wm5
TEjzLc7n2Jc9gxeO7n4CEJHxYmhm3/avPMt2rZ11xJSvM4RzVscJtx8t4PkjrW8D
Fc55CjaialpvNyowA7qGHE3sfUezRAQtbrDrtUy6BTpmLh90MlrgbIOkPcxm8wWV
c0WF0ZPGGsuGS+VIGv/ksm9xTwfbfULgZzZ27puBLDEiG87Iw+yPl4RzhKlRKkzp
cRu7eO7UPnXyBS1HjqcLlQxZ0DsFOQcgI80rMPZxoRW3E7R7hPmloOY6UJR9S9jq
LVKVksYDaI7tWz1yfusF2KzWIQrHEbK3610xYjDfVInjrJBYfvjRqBQHT0VPYT7v
YoM0gvd0LgW7R24ZMK97bchO3QrMGg==
=XIps
-----END PGP SIGNATURE-----

Message #24 received at 873439@bugs.debian.org (full text, mbox, reply):

From: Markus Wanner <markus@bluegap.ch>

To: 873439@bugs.debian.org

Subject: Re: [pkg-fgfs-crew] Bug#873439: flightgear: CVE-2017-13709: Incorrect access control

Date: Fri, 1 Sep 2017 08:01:40 +0200

[Message part 1 (text/plain, inline)]

Hi,

while this has been fixed in unstable, I have also requested to upload
to stable and unstable. Here are the issues and versions for reference:

stable:    #873754 1:2016.4.4+dfsg-3+deb9u1
oldstable: #873877 3.0.0-5+deb8u3

Assuming the release team approves the uploads, the fix should enter
Debian stable and oldstable with the next point release.

Kind Regards

Markus Wanner

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 873439-close@bugs.debian.org (full text, mbox, reply):

From: Markus Wanner <markus@bluegap.ch>

To: 873439-close@bugs.debian.org

Subject: Bug#873439: fixed in flightgear 1:2016.4.4+dfsg-3+deb9u1

Date: Sun, 08 Oct 2017 12:17:08 +0000

Source: flightgear
Source-Version: 1:2016.4.4+dfsg-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
flightgear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Wanner <markus@bluegap.ch> (supplier of updated flightgear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 01 Oct 2017 20:14:35 +0100
Source: flightgear
Binary: flightgear
Architecture: source amd64
Version: 1:2016.4.4+dfsg-3+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian FlightGear Crew <pkg-fgfs-crew@lists.alioth.debian.org>
Changed-By: Markus Wanner <markus@bluegap.ch>
Description:
 flightgear - Flight Gear Flight Simulator
Closes: 873439
Changes:
 flightgear (1:2016.4.4+dfsg-3+deb9u1) stretch; urgency=medium
 .
   * Add patches init-allowed-paths-earlier-secu-fix-f372d7.patch and
     prevent-arbitrary-file-writes-secu-fix-58d8e1.patch: prevent
     malicious add-ons from overriding arbitrary files.
     Closes: #873439 (CVE-2017-13709)
Checksums-Sha1:
 c16e6f475af4aa786b8ccdf8a4ec78f63fa7e4d1 2702 flightgear_2016.4.4+dfsg-3+deb9u1.dsc
 2b61f62f00362c3be0dce5c1117ad4c68b4e4857 6387270 flightgear_2016.4.4+dfsg.orig.tar.bz2
 42e91b0c3db2dd3cc429737f527e06429d4fb97d 26084 flightgear_2016.4.4+dfsg-3+deb9u1.debian.tar.xz
 7ed989db942a881ba9b65de32e0e7ec43f12ab0b 59996334 flightgear-dbgsym_2016.4.4+dfsg-3+deb9u1_amd64.deb
 14a76640b2a6b36eb597ac7a68df34423dc6ec8c 17511 flightgear_2016.4.4+dfsg-3+deb9u1_amd64.buildinfo
 48ad869d99d9d1ecbd88ba0f8c50f44613d90137 7664814 flightgear_2016.4.4+dfsg-3+deb9u1_amd64.deb
Checksums-Sha256:
 ee7046668ac2dee02f7b8b45e0d2af541034f2e324df74fb536c362ae36799b8 2702 flightgear_2016.4.4+dfsg-3+deb9u1.dsc
 269fbf0e5815880fd04f9f41c777315e275b2fc606a6ea7579d848ff11109bd7 6387270 flightgear_2016.4.4+dfsg.orig.tar.bz2
 f4363634c02e6e0d43a2bbfe63268148bd338f232d38bf2ef4ffe80d1b3cd0ae 26084 flightgear_2016.4.4+dfsg-3+deb9u1.debian.tar.xz
 621542faa12e202c4f2f1a4dfa90ab7e597e39d1872cbdc86b83704baf642e02 59996334 flightgear-dbgsym_2016.4.4+dfsg-3+deb9u1_amd64.deb
 3de07fc809d838b164555ab223a04d7ad590345f770163f9f20f03f4f1883a74 17511 flightgear_2016.4.4+dfsg-3+deb9u1_amd64.buildinfo
 8bb06c6d248ede499a04c521b9c8d23b765c23dba7e3422117a9483971eafdb3 7664814 flightgear_2016.4.4+dfsg-3+deb9u1_amd64.deb
Files:
 5899e96585afc5ef755598fb0f5f7eb8 2702 games extra flightgear_2016.4.4+dfsg-3+deb9u1.dsc
 7ec5e67fa483bc7e97d0c9b79fc51059 6387270 games extra flightgear_2016.4.4+dfsg.orig.tar.bz2
 152af9704470fd49d17a8c896fecd647 26084 games extra flightgear_2016.4.4+dfsg-3+deb9u1.debian.tar.xz
 00a1dd32559ad2f6b5eea78d51477a66 59996334 debug extra flightgear-dbgsym_2016.4.4+dfsg-3+deb9u1_amd64.deb
 aeb53b4d6d127f8497e382a1b12ce698 17511 games extra flightgear_2016.4.4+dfsg-3+deb9u1_amd64.buildinfo
 240cfe6ea0faeacc2883c09d389d1c3a 7664814 games extra flightgear_2016.4.4+dfsg-3+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEe6UnvggjX2qTFULG6UGJtTJZmDwFAlnR7vMSHG1hcmt1c0Bi
bHVlZ2FwLmNoAAoJEOlBibUyWZg8ICkP/jGq0CVpKr9lClCIj+Ts+AAcBuohrs4V
TRQ4Nm9Y8MeiJjWFf8y+ljUj8z8dt7ZNicsYjpr6aBbx3M+A6tyG/VbSg1+CTIuu
Ve0/+W2yxwQd7TWlG6FHPBNFbpE09G9cf3waCHiRFw9x49KOYOsU2Rd/iF4O/+z4
k5RRQmuoydbUg4FZpvvQtaLwNRFWIP6QqCei1oQOpG4GzVv7Fgb3E+bngNfm0M2x
o8vcuvdDIhijt/Jq81ni9bpeNHo3Q5PLHY4ZaA6Mr1QxzJHZzxl3p3EQUvehrNWV
WLp3h4V3jHzrr4kixD5rG1lLmGJ37xt/nV/IFw+viLjOpuZrYmVnhy9qUa2n+tK0
+crJbLWwLtLDZfP+l02PgkmI57jBUwT3XySkV0TTQ1ODbvFU7E4cVzdy3yNppcG9
HgvHIHcM28qvYX2iIUeqpig1IQJm9dkFBZYaVYgoFJQZ069RV2VxzruOYXOPaneW
fftsOXk4NsFvQ5o31Vatfz9rvYD46Y7LirTFlvXoXAvb+CFGX1342zjctL+zUbvP
WDE/4YzqKC8V+HWdKIJBImq9WNxde/hcbaow7hquFwW++UrhJREWalxHqfkKYAFy
UPb/E+Dg5/avnRiMtgIr1o53EhvM5hteBqcE8FmxGZTgPoaief+2Trz862D32YT0
5/WGhipvY+bm
=FxFK
-----END PGP SIGNATURE-----

Message #34 received at 873439-close@bugs.debian.org (full text, mbox, reply):

From: Markus Wanner <markus@bluegap.ch>

To: 873439-close@bugs.debian.org

Subject: Bug#873439: fixed in flightgear 3.0.0-5+deb8u3

Date: Sun, 19 Nov 2017 22:47:39 +0000

Source: flightgear
Source-Version: 3.0.0-5+deb8u3

We believe that the bug you reported is fixed in the latest version of
flightgear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Wanner <markus@bluegap.ch> (supplier of updated flightgear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 Nov 2017 09:33:09 +0000
Source: flightgear
Binary: flightgear
Architecture: source amd64
Version: 3.0.0-5+deb8u3
Distribution: jessie
Urgency: high
Maintainer: Debian FlightGear Crew <pkg-fgfs-crew@lists.alioth.debian.org>
Changed-By: Markus Wanner <markus@bluegap.ch>
Description:
 flightgear - Flight Gear Flight Simulator
Closes: 873439
Changes:
 flightgear (3.0.0-5+deb8u3) jessie; urgency=high
 .
   [ Florent Rougon ]
   * Add two patches for CVE-2017-13709:
       - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next
         patch)
       - CVE-2017-13709-FGLogger-2a5e3d.patch
     Closes: #873439.
 .
   [ Markus Wanner ]
   * Massage patch meta information to fit DEP-3.
Checksums-Sha1:
 6a795fc966a07f7f0c1798220b8ed16f48b7dc9c 2585 flightgear_3.0.0-5+deb8u3.dsc
 ae0e3019b3e04404f2512d80179b01d6d7d35ffb 30864 flightgear_3.0.0-5+deb8u3.debian.tar.xz
 fd99d72998dde386b266d150b0c92d53418388b4 3943596 flightgear_3.0.0-5+deb8u3_amd64.deb
Checksums-Sha256:
 dd9b848d459a57d94b63f762a4461145d13148239e7aaac9a3ff8fed959b4c02 2585 flightgear_3.0.0-5+deb8u3.dsc
 b8a03b93e8d783bc7422a38cdfe48c5799a3a223bdf1f4b99462f7627093fde9 30864 flightgear_3.0.0-5+deb8u3.debian.tar.xz
 58e63dcca6883f4f8a1070db485c6bcc025cc727374080f0aea709a0c5520b69 3943596 flightgear_3.0.0-5+deb8u3_amd64.deb
Files:
 99c33ba1f318e86309a53b66afac2a54 2585 games extra flightgear_3.0.0-5+deb8u3.dsc
 7327638baf9f24726c2911b5503cacd6 30864 games extra flightgear_3.0.0-5+deb8u3.debian.tar.xz
 fe8580590246464b0c113483634b1b15 3943596 games extra flightgear_3.0.0-5+deb8u3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEe6UnvggjX2qTFULG6UGJtTJZmDwFAloRdyQSHG1hcmt1c0Bi
bHVlZ2FwLmNoAAoJEOlBibUyWZg8Uw4P/0UyDDkdAHzqJU1tOmE0V9c80s2w6zGA
2NrLrPcDQYPubUyfcQGsZlDMOVMLRSWQSyhIzWEmOOGBvKxVd08nKN3xH6xPLGRp
VcQb8sxd8Pw4IsbikoIPdsHcWm8J2nZvu1EDXUhIWvMA0v6bFeVhMaQEL+Sc3CNW
9rKOYpllzKPQhXVB78r3nhKssq2fSGVal5eiCGHa7yNSUFbRLKyn6Q3eKt4D8a1l
tgBH1fj/om3TvtWs6uoYUcPM1DGXMMKsLqdgjRDalhbVNjSRGk89MxHou/5YZPAw
eFevlpRsfceqRZ8am1lzgk5Fb7Rp0q15qxerhPjg1RjbAnrGOBEN3iBDoQJNi4dZ
yHh4+JwZEt6LwwDw13kvxb2HsHiAS+ve4yrBtVWpAYyfK2rrJDhv9onVfUoIioHK
rxPCCdbUJP4TZadDoqlwaH7gYevUNsClv9EjI2t61jbkxbkLJDGoNEerOqhrBdHQ
miYFxsC4woLHoElR0QngEjGadECMKqdjTXmvj9NabzV/WSEInoLJZT7mJpwxp/Dx
f39uf1vBGslonpmJSw5vsBdkbtdnsDs//ki1aQyzRcaQatb2Z+hGmLx0B7gAOVDA
yFDK3MZo/3x0oEwBD8mKlwAZnwgqL6+QUq/a25g5Bf4OuAyfUaeyDBwkInHVdtD4
QmqixmjFW6v6
=6I5N
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.