Bug#848114: marked as done (flightgear: Allows the route manager to overwrite arbitrary files)

[Debian Bug Tracking System]

Your message dated Wed, 14 Dec 2016 19:48:36 +0000
with message-id <e1chfxy-00010t...@fasolo.debian.org>
and subject line Bug#848114: fixed in flightgear 1:2016.4.3+dfsg-1
has caused the Debian Bug report #848114,
regarding flightgear: Allows the route manager to overwrite arbitrary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
848114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: flightgear
Version: 3.0.0-5
Severity: grave
Tags: security upstream fixed-upstream patch
Justification: user security hole

Hello,

As already stated in several places:

  
https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
  https://sourceforge.net/p/flightgear/mailman/message/35548661/
  
http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/2016-December/001795.html

and reported to people in charge of FlightGear both upstream (of which I am a
recent addition) and in several Linux distributions, the flightgear package
has a security bug allowing malicious Nasal code[1] to overwrite arbitrary
files the user running FlightGear has write access to, by using the property
tree to cause the route manager to save a flightplan.

This problem is, AFAICT, present in all FlightGear versions released after
October 5, 2009, which largely includes those shipped in Debian stable,
testing and unstable. It is however fixed in the upstream Git repository:

  
https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

and I have backported this fix to FlightGear 3.0.0, i.e., the version shipped
in jessie: cf. two links given above
(<https://sourceforge.net/p/flightgear/mailman/message/35548661/> and
<http://lists.alioth.debian.org/pipermail/pkg-fgfs-crew/2016-December/001795.html>),
the second one being more ready-to-use for Debian since it contains a debdiff
including an additional fix for build failures I encountered while testing the
fix in the jessie package.

Since all parties have already been contacted, this bug report is mainly for
tracking purposes, as advised by
<https://www.debian.org/security/faq#discover>.

I'm attaching here the patch for FlightGear 3.0.0 as well as the mentioned
debdiff for completeness and “self-containedness” of this report. The upstream
fix
(<https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/>)
can certainly be used as is for the version in unstable.

Regards

[1] Which can be embedded in aircraft, which can in their turn be installed by
    users from various third-party sources.

Description: Security fix: don't allow the route manager to overwrite arbitrary files
 Since the Save function of the route manager can be triggered from Nasal with
 an arbitrary path, we must check the path before overwriting the file.
 .
 (also add a missing include that is directly needed for this commit)
Author: Florent Rougon <f.rou...@free.fr>
Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

--- a/src/Autopilot/route_mgr.cxx
+++ b/src/Autopilot/route_mgr.cxx
@@ -47,6 +47,7 @@
 #include <simgear/misc/sg_path.hxx>
 #include <simgear/sg_inlines.h>
 
+#include <Main/globals.hxx>
 #include "Main/fg_props.hxx"
 #include "Navaids/positioned.hxx"
 #include <Navaids/waypoint.hxx>
@@ -55,6 +56,8 @@
 #include "Airports/runways.hxx"
 #include <GUI/new_gui.hxx>
 #include <GUI/dialog.hxx>
+#include <Main/util.hxx>        // fgValidatePath()
+#include <GUI/MessageBox.hxx>
 
 #define RM "/autopilot/route-manager/"
 
@@ -707,7 +710,23 @@ void FGRouteMgr::InputListener::valueChanged(SGPropertyNode *prop)
       mgr->loadRoute(path);
     } else if (!strcmp(s, "@SAVE")) {
       SGPath path(mgr->_pathNode->getStringValue());
-      mgr->saveRoute(path);
+      const std::string authorizedPath = fgValidatePath(path.str(),
+                                                        true /* write */);
+
+      if (!authorizedPath.empty()) {
+        mgr->saveRoute(authorizedPath);
+      } else {
+        const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
+        std::string msg =
+          "The route manager was asked to write the flightplan to '" +
+          path.str() + "', but this path is not authorized for writing. " +
+          "Please choose another location, for instance in the $FG_HOME/Export "
+          "folder (" + proposedPath.str() + ").";
+
+        SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
+        modalMessageBox("FlightGear", "Unable to write to the specified file",
+                        msg);
+      }
     } else if (!strcmp(s, "@NEXT")) {
       mgr->jumpToIndex(mgr->currentIndex() + 1);
     } else if (!strcmp(s, "@PREVIOUS")) {

diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog	2015-03-18 11:19:39.000000000 +0100
+++ flightgear-3.0.0/debian/changelog	2016-12-13 12:40:51.000000000 +0100
@@ -1,3 +1,13 @@
+flightgear (3.0.0-5+deb8u1) jessie; urgency=medium
+
+  * Add patch route-manager-secu-fix-280cd5.patch (security fix preventing
+    the route manager from being able to overwrite arbitrary files
+    writable by the user running FlightGear).
+  * Add patch fix-missing-lX11-in-link-commands.patch to fix an FTBFS
+    failure due to -lX11 missing in two link commands.
+
+ -- Florent Rougon <f.rou...@free.fr>  Tue, 13 Dec 2016 12:40:51 +0100
+
 flightgear (3.0.0-5) unstable; urgency=high
 
   * Add patch 6a30e70.patch to better restrict file access from
diff -Nru flightgear-3.0.0/debian/patches/fix-missing-lX11-in-link-commands.patch flightgear-3.0.0/debian/patches/fix-missing-lX11-in-link-commands.patch
--- flightgear-3.0.0/debian/patches/fix-missing-lX11-in-link-commands.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/fix-missing-lX11-in-link-commands.patch	2016-12-13 12:39:49.000000000 +0100
@@ -0,0 +1,26 @@
+Description: Fix build failures ('-lX11' missing for fgfs and fgviewer)
+ .
+ Tested in a jessie amd64 pbuilder chroot.
+Author: Florent Rougon <f.rou...@free.fr>
+Forwarded: not-needed
+
+--- a/utils/fgviewer/CMakeLists.txt
++++ b/utils/fgviewer/CMakeLists.txt
+@@ -48,5 +48,6 @@
+ 	${OPENGL_LIBRARIES}
+ 	${FGVIEWER_RTI_LIBRARIES}
+         ${SIMGEAR_CORE_LIBRARY_DEPENDENCIES}
++        ${PLATFORM_LIBS}
+ )
+ install(TARGETS fgviewer RUNTIME DESTINATION bin)
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -127,6 +127,8 @@
+     if(GSM_FOUND)
+         set(SYSTEM_GSM_DEFAULT 1)
+     endif(GSM_FOUND)
++
++    list(APPEND PLATFORM_LIBS X11)
+ endif()
+ 
+ find_package(Git)
diff -Nru flightgear-3.0.0/debian/patches/route-manager-secu-fix-280cd5.patch flightgear-3.0.0/debian/patches/route-manager-secu-fix-280cd5.patch
--- flightgear-3.0.0/debian/patches/route-manager-secu-fix-280cd5.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/route-manager-secu-fix-280cd5.patch	2016-12-13 12:39:33.000000000 +0100
@@ -0,0 +1,52 @@
+Description: Security fix: don't allow the route manager to overwrite arbitrary files
+ Since the Save function of the route manager can be triggered from Nasal with
+ an arbitrary path, we must check the path before overwriting the file.
+ .
+ (also add a missing include that is directly needed for this commit)
+Author: Florent Rougon <f.rou...@free.fr>
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
+
+--- a/src/Autopilot/route_mgr.cxx
++++ b/src/Autopilot/route_mgr.cxx
+@@ -47,6 +47,7 @@
+ #include <simgear/misc/sg_path.hxx>
+ #include <simgear/sg_inlines.h>
+ 
++#include <Main/globals.hxx>
+ #include "Main/fg_props.hxx"
+ #include "Navaids/positioned.hxx"
+ #include <Navaids/waypoint.hxx>
+@@ -55,6 +56,8 @@
+ #include "Airports/runways.hxx"
+ #include <GUI/new_gui.hxx>
+ #include <GUI/dialog.hxx>
++#include <Main/util.hxx>        // fgValidatePath()
++#include <GUI/MessageBox.hxx>
+ 
+ #define RM "/autopilot/route-manager/"
+ 
+@@ -707,7 +710,23 @@ void FGRouteMgr::InputListener::valueChanged(SGPropertyNode *prop)
+       mgr->loadRoute(path);
+     } else if (!strcmp(s, "@SAVE")) {
+       SGPath path(mgr->_pathNode->getStringValue());
+-      mgr->saveRoute(path);
++      const std::string authorizedPath = fgValidatePath(path.str(),
++                                                        true /* write */);
++
++      if (!authorizedPath.empty()) {
++        mgr->saveRoute(authorizedPath);
++      } else {
++        const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++        std::string msg =
++          "The route manager was asked to write the flightplan to '" +
++          path.str() + "', but this path is not authorized for writing. " +
++          "Please choose another location, for instance in the $FG_HOME/Export "
++          "folder (" + proposedPath.str() + ").";
++
++        SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++        modalMessageBox("FlightGear", "Unable to write to the specified file",
++                        msg);
++      }
+     } else if (!strcmp(s, "@NEXT")) {
+       mgr->jumpToIndex(mgr->currentIndex() + 1);
+     } else if (!strcmp(s, "@PREVIOUS")) {
diff -Nru flightgear-3.0.0/debian/patches/series flightgear-3.0.0/debian/patches/series
--- flightgear-3.0.0/debian/patches/series	2015-03-18 08:48:58.000000000 +0100
+++ flightgear-3.0.0/debian/patches/series	2016-12-13 11:19:25.000000000 +0100
@@ -3,3 +3,5 @@
 fix-mobile-tacan.patch
 750939.patch
 6a30e7.patch
+route-manager-secu-fix-280cd5.patch
+fix-missing-lX11-in-link-commands.patch

--- End Message ---

--- Begin Message ---

Source: flightgear
Source-Version: 1:2016.4.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
flightgear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 848...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Wanner <mar...@bluegap.ch> (supplier of updated flightgear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 Dec 2016 20:17:07 +0100
Source: flightgear
Binary: flightgear
Architecture: source
Version: 1:2016.4.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian FlightGear Crew <pkg-fgfs-c...@lists.alioth.debian.org>
Changed-By: Markus Wanner <mar...@bluegap.ch>
Description:
 flightgear - Flight Gear Flight Simulator
Closes: 848114
Changes:
 flightgear (1:2016.4.3+dfsg-1) unstable; urgency=high
 .
   * New upstream release.
   * Refresh patch spelling_20160920.patch.
   * Add patch route-manager-secu-fix-280cd5.patch to prevent the
     route manager from writing arbitrary files. Closes: #848114.
   * Update dependency on simgear to ensure this builds against the
     corresponding version.
Checksums-Sha1:
 4b0b3c7ea322250572c0c933003f67b71a4fe3e5 3344 flightgear_2016.4.3+dfsg-1.dsc
 d2362fc28fd303fbcdf2fd26de251a849b93158f 6387421 
flightgear_2016.4.3+dfsg.orig.tar.bz2
 e2285f595fafacb6a759ba1c3d8235b5e927df1c 23316 
flightgear_2016.4.3+dfsg-1.debian.tar.xz
Checksums-Sha256:
 59123c75fc2d5dd974fb8f5ef91c0a5ef764c76faabc62b544099f0a2e0d4210 3344 
flightgear_2016.4.3+dfsg-1.dsc
 3018734def07fc35c5d5456cbbee54dd423109d8f78a5a721ef8a47efdc6239a 6387421 
flightgear_2016.4.3+dfsg.orig.tar.bz2
 59c29dbc8eb2a2544652eb8c70485dfc863969dd488affb2ba344bebb65ab4b5 23316 
flightgear_2016.4.3+dfsg-1.debian.tar.xz
Files:
 238998e8d3c7076e8178d82d7efb546d 3344 games extra 
flightgear_2016.4.3+dfsg-1.dsc
 38b83a02b10218906030fac73d3369fb 6387421 games extra 
flightgear_2016.4.3+dfsg.orig.tar.bz2
 dbb89a210cdd7614bd9a6c008866955b 23316 games extra 
flightgear_2016.4.3+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE9QZIdt/h2tQT9NSr6GgtGz8x6bMFAlhRnEUACgkQ6GgtGz8x
6bNTPx/+M8ikRYC0L/cVn6rIuoyEB7rsSpz/8+gsyL+f9wTsazbZVQ+Fc7tb1BH0
hrJ0cljcG2t0YqJGhs2qt+MvE15xITw1Khr7eizHzjuDxt4NV/94IOUDy4zYFYS2
YUuMLqmTUae+3dsdU/3NsSevGLabsp9Hl/gW0dwgSPB/NnCFPtQRSWZCvzyGNY2w
ZqDuvy0UW5B/oGEh0nACahSUrqZjS/uAEiEjIHv9ucvZKf811U6VbGrJYNQ4Cpc6
EpQUZvGT4M5GxhPk9ELR6nlYc5+8ETyPG8XdKuca+SWGf+QfDQUhFY3b0KgI125+
Ln1RgyO2wOhFHRXH5K/LkvuYarQ2tn/KeDo6pmMzHbWS+L2FvAcbCRe9rHmtOdyA
bI69kAeVes1ZfUZS0uxCGdZsHupQIgC9+SfvSi43RCuR1LEXmgUhY/vjP71sM4xq
pF+xkMIefQVn3e2BOpa4ZsbI3t/6Voux1cCnlIj+leLwR4nIlmS6Gu4mIItkFcqg
zxaunJNxSg0wTDTY3UrPN81Z8BHz7PRSR7ToaGUW7LJdUBFw+58yw03hzW0Tny6U
Pi4SL7Q+FP5o3UyIXzVdfX9vP9DVdzAIRwVfQeVgz/3YldkomioZ0xZHQZeuk79h
3Btq5HfnnmYq/rYeB6+NLbVfJOwpj8C9OG/td6NHLSYZwnujDfPHmefgP11/XlO8
J6OsV1qMEgY0buMgcjvkPG21suzUedWJ80g8e8/O+sxCPZ9jt9vUnJl7fEP/h+o+
TSo2qCoGToMONlbOXHtiYoNlLpYyNjsWJBCqBNqV3BjxueQlPdDsvrQ2v5K/ZIXI
yk0ItzuXZuuMgyS0rt/uzbVk8E81dYKqrz2fapR4DB4AbaWYn7SV/SpflmmRHIfP
3Y7miHHQP/GdJ1aVdVEmGC5lDA3lBQ9Wea6ePLdk2m9EoedQFokZuI5FGZx3DCVj
zxCmZAfvZKlLo/I6Ecit/TlXxPt3QhOyXzBpiQ+RYPEM00aLepk3K12FUeBJVumA
EbeX4mucur51T9C5HNK6HV2+xhUQHU748H9WBLnJGrqXAeE+W4GbTVfPw3A6px6o
Nahoo1mkRQji5OAxhm3HeLgEtpdOoHsVDBOM1laJ/UoTvKbIW1F+/+8tpCYdaQln
lfGAKPXCZmnz7pKlfw+ggBNO5u0472xhrzHMk66b/9wLSsmI/Bm1saqPthK6LENl
dDApQT5aQJVN4qfgXm4t8cRetleNJLIyJe1pcSGOhImeUFbwEnjal74z71ClnRIW
RzVIkJFhoom4aZrwN6m59CKbCRBBhI36lMTKOuCLuhZYRwsTWbc6cL8Pc/zL4ulm
ORm8I1BnZQn6aAjj+OmeQGgdddpspg==
=I1rS
-----END PGP SIGNATURE-----

--- End Message ---