flightgear: CVE-2016-9956: Allows the route manager to overwrite arbitrary files

Debian Bug report logs - #848114
flightgear: CVE-2016-9956: Allows the route manager to overwrite arbitrary files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florent Rougon <f.rougon@free.fr>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: flightgear: Allows the route manager to overwrite arbitrary files

Date: Wed, 14 Dec 2016 09:55:53 +0100

[Message part 1 (text/plain, inline)]

Source: flightgear
Version: 3.0.0-5
Severity: grave
Tags: security upstream fixed-upstream patch
Justification: user security hole

Hello,

As already stated in several places:

  https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
  https://sourceforge.net/p/flightgear/mailman/message/35548661/
  http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/2016-December/001795.html

and reported to people in charge of FlightGear both upstream (of which I am a
recent addition) and in several Linux distributions, the flightgear package
has a security bug allowing malicious Nasal code[1] to overwrite arbitrary
files the user running FlightGear has write access to, by using the property
tree to cause the route manager to save a flightplan.

This problem is, AFAICT, present in all FlightGear versions released after
October 5, 2009, which largely includes those shipped in Debian stable,
testing and unstable. It is however fixed in the upstream Git repository:

  https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

and I have backported this fix to FlightGear 3.0.0, i.e., the version shipped
in jessie: cf. two links given above
(<https://sourceforge.net/p/flightgear/mailman/message/35548661/> and
<http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/2016-December/001795.html>),
the second one being more ready-to-use for Debian since it contains a debdiff
including an additional fix for build failures I encountered while testing the
fix in the jessie package.

Since all parties have already been contacted, this bug report is mainly for
tracking purposes, as advised by
<https://www.debian.org/security/faq#discover>.

I'm attaching here the patch for FlightGear 3.0.0 as well as the mentioned
debdiff for completeness and “self-containedness” of this report. The upstream
fix
(<https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/>)
can certainly be used as is for the version in unstable.

Regards

[1] Which can be embedded in aircraft, which can in their turn be installed by
    users from various third-party sources.

[route-manager-secu-fix-280cd5.patch (text/x-diff, attachment)]

[flightgear-3.0.0_to_3.0.0-5+deb8u1.debdiff (text/x-diff, attachment)]

Message #10 received at 848114@bugs.debian.org (full text, mbox, reply):

From: Markus Wanner <markus@bluegap.ch>

To: 848114@bugs.debian.org

Cc: Florent Rougon <f.rougon@free.fr>

Subject: Re: Bug#848114: flightgear: Allows the route manager to overwrite arbitrary files

Date: Wed, 14 Dec 2016 13:32:31 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 +pending

Hello Florent,

thanks a lot for your notification and the patch(es). Uploads to stable
(security) and unstable should follow, shortly.

Kind Regards

Markus Wanner

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 848114@bugs.debian.org (full text, mbox, reply):

From: Florent Rougon <f.rougon@free.fr>

To: 848114@bugs.debian.org

Subject: Re: Bug#848114: flightgear: Allows the route manager to overwrite arbitrary files

Date: Wed, 14 Dec 2016 14:21:20 +0100

Markus Wanner <markus@bluegap.ch> wrote:

> Hello Florent,
>
> thanks a lot for your notification and the patch(es). Uploads to stable
> (security) and unstable should follow, shortly.

Fine, thank you, Markus!

Regards

-- 
Florent

Message #22 received at 848114-close@bugs.debian.org (full text, mbox, reply):

From: Markus Wanner <markus@bluegap.ch>

To: 848114-close@bugs.debian.org

Subject: Bug#848114: fixed in flightgear 1:2016.4.3+dfsg-1

Date: Wed, 14 Dec 2016 19:48:36 +0000

Source: flightgear
Source-Version: 1:2016.4.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
flightgear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 848114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Wanner <markus@bluegap.ch> (supplier of updated flightgear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 Dec 2016 20:17:07 +0100
Source: flightgear
Binary: flightgear
Architecture: source
Version: 1:2016.4.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian FlightGear Crew <pkg-fgfs-crew@lists.alioth.debian.org>
Changed-By: Markus Wanner <markus@bluegap.ch>
Description:
 flightgear - Flight Gear Flight Simulator
Closes: 848114
Changes:
 flightgear (1:2016.4.3+dfsg-1) unstable; urgency=high
 .
   * New upstream release.
   * Refresh patch spelling_20160920.patch.
   * Add patch route-manager-secu-fix-280cd5.patch to prevent the
     route manager from writing arbitrary files. Closes: #848114.
   * Update dependency on simgear to ensure this builds against the
     corresponding version.
Checksums-Sha1:
 4b0b3c7ea322250572c0c933003f67b71a4fe3e5 3344 flightgear_2016.4.3+dfsg-1.dsc
 d2362fc28fd303fbcdf2fd26de251a849b93158f 6387421 flightgear_2016.4.3+dfsg.orig.tar.bz2
 e2285f595fafacb6a759ba1c3d8235b5e927df1c 23316 flightgear_2016.4.3+dfsg-1.debian.tar.xz
Checksums-Sha256:
 59123c75fc2d5dd974fb8f5ef91c0a5ef764c76faabc62b544099f0a2e0d4210 3344 flightgear_2016.4.3+dfsg-1.dsc
 3018734def07fc35c5d5456cbbee54dd423109d8f78a5a721ef8a47efdc6239a 6387421 flightgear_2016.4.3+dfsg.orig.tar.bz2
 59c29dbc8eb2a2544652eb8c70485dfc863969dd488affb2ba344bebb65ab4b5 23316 flightgear_2016.4.3+dfsg-1.debian.tar.xz
Files:
 238998e8d3c7076e8178d82d7efb546d 3344 games extra flightgear_2016.4.3+dfsg-1.dsc
 38b83a02b10218906030fac73d3369fb 6387421 games extra flightgear_2016.4.3+dfsg.orig.tar.bz2
 dbb89a210cdd7614bd9a6c008866955b 23316 games extra flightgear_2016.4.3+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE9QZIdt/h4tQT9NSr6GgtGz8x6bMFAlhRnEUACgkQ6GgtGz8x
6bNTPx/+M8ikRYC0L/cVn6rIuoyEB7rsSpz/8+gsyL+f9wTsazbZVQ+Fc7tb1BH0
hrJ0cljcG2t0YqJGhs2qt+MvE15xITw1Khr7eizHzjuDxt4NV/94IOUDy4zYFYS2
YUuMLqmTUae+3dsdU/3NsSevGLabsp9Hl/gW0dwgSPB/NnCFPtQRSWZCvzyGNY2w
ZqDuvy0UW5B/oGEh0nACahSUrqZjS/uAEiEjIHv9ucvZKf811U6VbGrJYNQ4Cpc6
EpQUZvGT4M5GxhPk9ELR6nlYc5+8ETyPG8XdKuca+SWGf+QfDQUhFY3b0KgI125+
Ln1RgyO2wOhFHRXH5K/LkvuYarQ2tn/KeDo6pmMzHbWS+L2FvAcbCRe9rHmtOdyA
bI69kAeVes1ZfUZS0uxCGdZsHupQIgC9+SfvSi43RCuR1LEXmgUhY/vjP71sM4xq
pF+xkMIefQVn3e2BOpa4ZsbI3t/6Voux1cCnlIj+leLwR4nIlmS6Gu4mIItkFcqg
zxaunJNxSg0wTDTY3UrPN81Z8BHz7PRSR7ToaGUW7LJdUBFw+58yw03hzW0Tny6U
Pi4SL7Q+FP5o3UyIXzVdfX9vP9DVdzAIRwVfQeVgz/3YldkomioZ0xZHQZeuk79h
3Btq5HfnnmYq/rYeB6+NLbVfJOwpj8C9OG/td6NHLSYZwnujDfPHmefgP11/XlO8
J6OsV1qMEgY0buMgcjvkPG21suzUedWJ80g8e8/O+sxCPZ9jt9vUnJl7fEP/h+o+
TSo2qCoGToMONlbOXHtiYoNlLpYyNjsWJBCqBNqV3BjxueQlPdDsvrQ2v5K/ZIXI
yk0ItzuXZuuMgyS0rt/uzbVk8E81dYKqrz2fapR4DB4AbaWYn7SV/SpflmmRHIfP
3Y7miHHQP/GdJ1aVdVEmGC5lDA3lBQ9Wea6ePLdk2m9EoedQFokZuI5FGZx3DCVj
zxCmZAfvZKlLo/I6Ecit/TlXxPt3QhOyXzBpiQ+RYPEM00aLepk3K12FUeBJVumA
EbeX4mucur51T9C5HNK6HV2+xhUQHU748H9WBLnJGrqXAeE+W4GbTVfPw3A6px6o
Nahoo1mkRQji5OAxhm3HeLgEtpdOoHsVDBOM1laJ/UoTvKbIW1F+/+8tpCYdaQln
lfGAKPXCZmnz7pKlfw+ggBNO5u0472xhrzHMk66b/9wLSsmI/Bm1saqPthK6LENl
dDApQT5aQJVN4qfgXm4t8cRetleNJLIyJe1pcSGOhImeUFbwEnjal74z71ClnRIW
RzVIkJFhoom4aZrwN6m59CKbCRBBhI36lMTKOuCLuhZYRwsTWbc6cL8Pc/zL4ulm
ORm8I1BnZQn6aAjj+OmeQGgdddpspg==
=I1rS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.