svn commit: r448872 - in head/games/flightgear: . files

Ganael LAPLANCHE martymac at FreeBSD.org
Mon Aug 28 15:36:04 UTC 2017 

Author: martymac
Date: Mon Aug 28 15:36:03 2017
New Revision: 448872
URL: https://svnweb.freebsd.org/changeset/ports/448872

Log:
  - Backport commits 0ba2ac31 and 1ad2bf44 (fixes for CVE-2017-13709)
  - Rename patch patch-src-Autopilot-route_mgr.cxx to a more explicit name
  
  Reported by:	Florent Rougon <f.rougon at free.fr>

Added:
  head/games/flightgear/files/patch-CVE-2017-13709.txt   (contents, props changed)
  head/games/flightgear/files/patch-CVE-2017-8921.txt
     - copied unchanged from r448871, head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx
Deleted:
  head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx
Modified:
  head/games/flightgear/Makefile

Modified: head/games/flightgear/Makefile
==============================================================================
--- head/games/flightgear/Makefile	Mon Aug 28 15:16:50 2017	(r448871)
+++ head/games/flightgear/Makefile	Mon Aug 28 15:36:03 2017	(r448872)
@@ -3,7 +3,7 @@
 
 PORTNAME=	flightgear
 PORTVERSION=	2017.1.3
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	games
 MASTER_SITES=	SF/flightgear/release-${PORTVERSION:R}
 

Added: head/games/flightgear/files/patch-CVE-2017-13709.txt
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/games/flightgear/files/patch-CVE-2017-13709.txt	Mon Aug 28 15:36:03 2017	(r448872)
@@ -0,0 +1,129 @@
+Backport of commits 0ba2ac31 and 1ad2bf44
+
+Fixes CVE-2017-13709.
+
+--- src/Main/fg_init.cxx.orig
++++ src/Main/fg_init.cxx
+@@ -1090,7 +1090,12 @@ void fgStartNewReset()
+     fgInitGeneral(); // all of this?
+     
+     flightgear::Options::sharedInstance()->processOptions();
+-    
++
++    // Rebuild the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // PRESERVED properties over-write state from options, intentionally
+     if ( copyProperties(preserved, globals->get_props()) ) {
+         SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully" );
+--- src/Main/main.cxx.orig
++++ src/Main/main.cxx
+@@ -536,7 +536,12 @@ int fgMainInit( int argc, char **argv )
+     } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+         return EXIT_SUCCESS;
+     }
+-    
++
++    // Set the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // Initialize the Window/Graphics environment.
+     fgOSInit(&argc, argv);
+     _bootstrap_OSInit++;
+--- src/Scripting/NasalSys.cxx.orig
++++ src/Scripting/NasalSys.cxx
+@@ -909,10 +909,6 @@ void FGNasalSys::init()
+       .member("simulatedTime", &TimerObj::isSimTime, &f_timerObj_setSimTime)
+       .member("isRunning", &TimerObj::isRunning);
+ 
+-
+-    // Set allowed paths for Nasal I/O
+-    fgInitAllowedPaths();
+-    
+     // Now load the various source files in the Nasal directory
+     simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+     loadScriptDirectory(nasalDir);
+--- src/Main/logger.cxx.orig
++++ src/Main/logger.cxx
+@@ -9,12 +9,17 @@
+ 
+ #include "logger.hxx"
+ 
+-#include <fstream>
++#include <ios>
+ #include <string>
++#include <cstdlib>
+ 
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/io/iostreams/sgstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::endl;
+@@ -59,6 +64,25 @@ FGLogger::init ()
+         child->setStringValue("filename", filename.c_str());
+     }
+ 
++    // Security: the path comes from the global Property Tree; it *must* be
++    //           validated before we overwrite the file.
++    const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename),
++                                                 /* write */ true);
++
++    if (authorizedPath.isNull()) {
++      const string propertyPath = child->getChild("filename")
++                                       ->getPath(/* simplify */ true);
++      const string msg =
++        "The FGLogger logging system, via the '" + propertyPath + "' property, "
++        "was asked to write to '" + filename + "', however this path is not "
++        "authorized for writing anymore for security reasons. " +
++        "Please choose another location, for instance in the $FG_HOME/Export "
++        "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++      SG_LOG(SG_GENERAL, SG_ALERT, msg);
++      exit(EXIT_FAILURE);
++    }
++
+     string delimiter = child->getStringValue("delimiter");
+     if (delimiter.empty()) {
+         delimiter = ",";
+@@ -68,7 +92,8 @@ FGLogger::init ()
+     log.interval_ms = child->getLongValue("interval-ms");
+     log.last_time_ms = globals->get_sim_time_sec() * 1000;
+     log.delimiter = delimiter.c_str()[0];
+-    log.output = new std::ofstream(filename.c_str());
++    // Security: use the return value of fgValidatePath()
++    log.output = new sg_ofstream(authorizedPath, std::ios_base::out);
+     if (!log.output) {
+       SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+       continue;
+--- src/Main/logger.hxx.orig
++++ src/Main/logger.hxx
+@@ -6,10 +6,10 @@
+ #ifndef __LOGGER_HXX
+ #define __LOGGER_HXX 1
+ 
+-#include <iosfwd>
+ #include <vector>
+ 
+ #include <simgear/compiler.h>
++#include <simgear/io/iostreams/sgstream.hxx>
+ #include <simgear/structure/subsystem_mgr.hxx>
+ #include <simgear/props/props.hxx>
+ 
+@@ -39,7 +39,7 @@ private:
+     Log ();
+     virtual ~Log ();
+     std::vector<SGPropertyNode_ptr> nodes;
+-    std::ostream * output;
++    sg_ofstream * output;
+     long interval_ms;
+     double last_time_ms;
+     char delimiter;

Copied: head/games/flightgear/files/patch-CVE-2017-8921.txt (from r448871, head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/games/flightgear/files/patch-CVE-2017-8921.txt	Mon Aug 28 15:36:03 2017	(r448872, copy of r448871, head/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx)
@@ -0,0 +1,28 @@
+Fix for CVE-2017-8921 (backport of commit faf872e7)
+
+--- src/Autopilot/route_mgr.cxx.orig
++++ src/Autopilot/route_mgr.cxx
+@@ -74,7 +74,22 @@ static bool commandSaveFlightPlan(const SGPropertyNode* arg)
+ {
+   FGRouteMgr* self = (FGRouteMgr*) globals->get_subsystem("route-manager");
+   SGPath path = SGPath::fromUtf8(arg->getStringValue("path"));
+-  return self->saveRoute(path);
++  SGPath authorizedPath = fgValidatePath(path, true /* write */);
++
++  if (!authorizedPath.isNull()) {
++    return self->saveRoute(authorizedPath);
++  } else {
++    std::string msg =
++          "The route manager was asked to write the flightplan to '" +
++          path.utf8Str() + "', but this path is not authorized for writing. " +
++          "Please choose another location, for instance in the $FG_HOME/Export "
++          "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++    SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++    modalMessageBox("FlightGear", "Unable to write to the specified file",
++                        msg);
++    return false;
++  }
+ }
+ 
+ static bool commandActivateFlightPlan(const SGPropertyNode* arg)

More information about the svn-ports-head mailing list