Date: Wed, 14 Dec 2016 11:12:53 +0000 (UTC) From: Ganael LAPLANCHE <martymac@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r428556 - in head/games/flightgear: . files Message-ID: <201612141112.uBEBCr4A072253@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: martymac Date: Wed Dec 14 11:12:53 2016 New Revision: 428556 URL: https://svnweb.freebsd.org/changeset/ports/428556 Log: Backport security fix 280cd52 Without this fix, a malicious aircraft maintainer can easily overwrite arbitrary files the user running FlightGear has write access to. Reported by: Florent Rougon <f.rougon@free.fr> Security: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/ Added: head/games/flightgear/files/patch-280cd52-src-Autopilot-route_mgr.cxx (contents, props changed) Modified: head/games/flightgear/Makefile Modified: head/games/flightgear/Makefile ============================================================================== --- head/games/flightgear/Makefile Wed Dec 14 10:19:07 2016 (r428555) +++ head/games/flightgear/Makefile Wed Dec 14 11:12:53 2016 (r428556) @@ -3,6 +3,7 @@ PORTNAME= flightgear PORTVERSION= 2016.4.3 +PORTREVISION= 1 CATEGORIES= games MASTER_SITES= SF/flightgear/release-${PORTVERSION:R} Added: head/games/flightgear/files/patch-280cd52-src-Autopilot-route_mgr.cxx ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/games/flightgear/files/patch-280cd52-src-Autopilot-route_mgr.cxx Wed Dec 14 11:12:53 2016 (r428556) @@ -0,0 +1,55 @@ +commit 280cd523686fbdb175d50417266d2487a8ce67d2 +Author: Florent Rougon <f.rougon@free.fr> +Date: Fri Dec 9 11:29:13 2016 +0100 + + Security fix: don't allow the route manager to overwrite any file + + Since the Save function can be triggered from Nasal with an arbitrary + path, we must check this path before overwriting the file. + + (also add a missing include that is directly needed for this commit) + +diff --git src/Autopilot/route_mgr.cxx src/Autopilot/route_mgr.cxx +index bae5b1d23..901c64e14 100644 +--- src/Autopilot/route_mgr.cxx ++++ src/Autopilot/route_mgr.cxx +@@ -44,6 +44,7 @@ + #include <simgear/timing/sg_time.hxx> + #include <simgear/sg_inlines.h> + ++#include <Main/globals.hxx> + #include "Main/fg_props.hxx" + #include "Navaids/positioned.hxx" + #include <Navaids/waypoint.hxx> +@@ -54,6 +55,8 @@ + #include "Airports/runways.hxx" + #include <GUI/new_gui.hxx> + #include <GUI/dialog.hxx> ++#include <Main/util.hxx> // fgValidatePath() ++#include <GUI/MessageBox.hxx> + + #define RM "/autopilot/route-manager/" + +@@ -709,7 +712,21 @@ void FGRouteMgr::InputListener::valueChanged(SGPropertyNode *prop) + mgr->loadRoute(path); + } else if (!strcmp(s, "@SAVE")) { + SGPath path(mgr->_pathNode->getStringValue()); +- mgr->saveRoute(path); ++ SGPath authorizedPath = fgValidatePath(path, true /* write */); ++ ++ if (!authorizedPath.isNull()) { ++ mgr->saveRoute(authorizedPath); ++ } else { ++ std::string msg = ++ "The route manager was asked to write the flightplan to '" + ++ path.utf8Str() + "', but this path is not authorized for writing. " + ++ "Please choose another location, for instance in the $FG_HOME/Export " ++ "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ")."; ++ ++ SG_LOG(SG_AUTOPILOT, SG_ALERT, msg); ++ modalMessageBox("FlightGear", "Unable to write to the specified file", ++ msg); ++ } + } else if (!strcmp(s, "@NEXT")) { + mgr->jumpToIndex(mgr->currentIndex() + 1); + } else if (!strcmp(s, "@PREVIOUS")) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612141112.uBEBCr4A072253>