Date: Mon, 28 Aug 2017 15:36:03 +0000 (UTC) From: Ganael LAPLANCHE <martymac@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r448872 - in head/games/flightgear: . files Message-ID: <201708281536.v7SFa3qq006443@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: martymac Date: Mon Aug 28 15:36:03 2017 New Revision: 448872 URL: https://svnweb.freebsd.org/changeset/ports/448872 Log: - Backport commits 0ba2ac31 and 1ad2bf44 (fixes for CVE-2017-13709) - Rename patch patch-src-Autopilot-route_mgr.cxx to a more explicit name Reported by: Florent Rougon <f.rougon@free.fr> Added: head/games/flightgear/files/patch-CVE-2017-13709.txt (contents, props changed) head/games/flightgear/files/patch-CVE-2017-8921.txt - copied unchanged from r448871, head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx Deleted: head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx Modified: head/games/flightgear/Makefile Modified: head/games/flightgear/Makefile ============================================================================== --- head/games/flightgear/Makefile Mon Aug 28 15:16:50 2017 (r448871) +++ head/games/flightgear/Makefile Mon Aug 28 15:36:03 2017 (r448872) @@ -3,7 +3,7 @@ PORTNAME= flightgear PORTVERSION= 2017.1.3 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= games MASTER_SITES= SF/flightgear/release-${PORTVERSION:R} Added: head/games/flightgear/files/patch-CVE-2017-13709.txt ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/games/flightgear/files/patch-CVE-2017-13709.txt Mon Aug 28 15:36:03 2017 (r448872) @@ -0,0 +1,129 @@ +Backport of commits 0ba2ac31 and 1ad2bf44 + +Fixes CVE-2017-13709. + +--- src/Main/fg_init.cxx.orig ++++ src/Main/fg_init.cxx +@@ -1090,7 +1090,12 @@ void fgStartNewReset() + fgInitGeneral(); // all of this? + + flightgear::Options::sharedInstance()->processOptions(); +- ++ ++ // Rebuild the lists of allowed paths for cases where a path comes from an ++ // untrusted source, such as the global property tree (this uses $FG_HOME ++ // and other paths set by Options::processOptions()). ++ fgInitAllowedPaths(); ++ + // PRESERVED properties over-write state from options, intentionally + if ( copyProperties(preserved, globals->get_props()) ) { + SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully" ); +--- src/Main/main.cxx.orig ++++ src/Main/main.cxx +@@ -536,7 +536,12 @@ int fgMainInit( int argc, char **argv ) + } else if (configResult == flightgear::FG_OPTIONS_EXIT) { + return EXIT_SUCCESS; + } +- ++ ++ // Set the lists of allowed paths for cases where a path comes from an ++ // untrusted source, such as the global property tree (this uses $FG_HOME ++ // and other paths set by Options::processOptions()). ++ fgInitAllowedPaths(); ++ + // Initialize the Window/Graphics environment. + fgOSInit(&argc, argv); + _bootstrap_OSInit++; +--- src/Scripting/NasalSys.cxx.orig ++++ src/Scripting/NasalSys.cxx +@@ -909,10 +909,6 @@ void FGNasalSys::init() + .member("simulatedTime", &TimerObj::isSimTime, &f_timerObj_setSimTime) + .member("isRunning", &TimerObj::isRunning); + +- +- // Set allowed paths for Nasal I/O +- fgInitAllowedPaths(); +- + // Now load the various source files in the Nasal directory + simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal")); + loadScriptDirectory(nasalDir); +--- src/Main/logger.cxx.orig ++++ src/Main/logger.cxx +@@ -9,12 +9,17 @@ + + #include "logger.hxx" + +-#include <fstream> ++#include <ios> + #include <string> ++#include <cstdlib> + + #include <simgear/debug/logstream.hxx> ++#include <simgear/io/iostreams/sgstream.hxx> ++#include <simgear/misc/sg_path.hxx> + + #include "fg_props.hxx" ++#include "globals.hxx" ++#include "util.hxx" + + using std::string; + using std::endl; +@@ -59,6 +64,25 @@ FGLogger::init () + child->setStringValue("filename", filename.c_str()); + } + ++ // Security: the path comes from the global Property Tree; it *must* be ++ // validated before we overwrite the file. ++ const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename), ++ /* write */ true); ++ ++ if (authorizedPath.isNull()) { ++ const string propertyPath = child->getChild("filename") ++ ->getPath(/* simplify */ true); ++ const string msg = ++ "The FGLogger logging system, via the '" + propertyPath + "' property, " ++ "was asked to write to '" + filename + "', however this path is not " ++ "authorized for writing anymore for security reasons. " + ++ "Please choose another location, for instance in the $FG_HOME/Export " ++ "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ")."; ++ ++ SG_LOG(SG_GENERAL, SG_ALERT, msg); ++ exit(EXIT_FAILURE); ++ } ++ + string delimiter = child->getStringValue("delimiter"); + if (delimiter.empty()) { + delimiter = ","; +@@ -68,7 +92,8 @@ FGLogger::init () + log.interval_ms = child->getLongValue("interval-ms"); + log.last_time_ms = globals->get_sim_time_sec() * 1000; + log.delimiter = delimiter.c_str()[0]; +- log.output = new std::ofstream(filename.c_str()); ++ // Security: use the return value of fgValidatePath() ++ log.output = new sg_ofstream(authorizedPath, std::ios_base::out); + if (!log.output) { + SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename); + continue; +--- src/Main/logger.hxx.orig ++++ src/Main/logger.hxx +@@ -6,10 +6,10 @@ + #ifndef __LOGGER_HXX + #define __LOGGER_HXX 1 + +-#include <iosfwd> + #include <vector> + + #include <simgear/compiler.h> ++#include <simgear/io/iostreams/sgstream.hxx> + #include <simgear/structure/subsystem_mgr.hxx> + #include <simgear/props/props.hxx> + +@@ -39,7 +39,7 @@ private: + Log (); + virtual ~Log (); + std::vector<SGPropertyNode_ptr> nodes; +- std::ostream * output; ++ sg_ofstream * output; + long interval_ms; + double last_time_ms; + char delimiter; Copied: head/games/flightgear/files/patch-CVE-2017-8921.txt (from r448871, head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/games/flightgear/files/patch-CVE-2017-8921.txt Mon Aug 28 15:36:03 2017 (r448872, copy of r448871, head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx) @@ -0,0 +1,28 @@ +Fix for CVE-2017-8921 (backport of commit faf872e7) + +--- src/Autopilot/route_mgr.cxx.orig ++++ src/Autopilot/route_mgr.cxx +@@ -74,7 +74,22 @@ static bool commandSaveFlightPlan(const SGPropertyNode* arg) + { + FGRouteMgr* self = (FGRouteMgr*) globals->get_subsystem("route-manager"); + SGPath path = SGPath::fromUtf8(arg->getStringValue("path")); +- return self->saveRoute(path); ++ SGPath authorizedPath = fgValidatePath(path, true /* write */); ++ ++ if (!authorizedPath.isNull()) { ++ return self->saveRoute(authorizedPath); ++ } else { ++ std::string msg = ++ "The route manager was asked to write the flightplan to '" + ++ path.utf8Str() + "', but this path is not authorized for writing. " + ++ "Please choose another location, for instance in the $FG_HOME/Export " ++ "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ")."; ++ ++ SG_LOG(SG_AUTOPILOT, SG_ALERT, msg); ++ modalMessageBox("FlightGear", "Unable to write to the specified file", ++ msg); ++ return false; ++ } + } + + static bool commandActivateFlightPlan(const SGPropertyNode* arg)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201708281536.v7SFa3qq006443>