From markus at bluegap.ch Mon Mar 2 10:54:38 2015 From: markus at bluegap.ch (Markus Wanner) Date: Mon, 02 Mar 2015 11:54:38 +0100 Subject: [pkg-fgfs-crew] Bug#779563: flightgear: no manpages for multiple binaries Message-ID: <54F4416E.1020600@bluegap.ch> Package: flightgear Version: 3.4.0-0~exp1 Severity: minor Tags: confirmed, upstream There are no manpages associated with the following binaries of the flightgear package (all in /usr/games/): MIDGsmooth, UGsmooth, fgcom, fgelev, fgviewer, metar, yasim, yasim-proptest. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1513 bytes Desc: OpenPGP digital signature URL: From owner at bugs.debian.org Mon Mar 2 15:51:06 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Mon, 02 Mar 2015 15:51:06 +0000 Subject: [pkg-fgfs-crew] Processed (with 1 errors): Re: Bug#779563: flightgear: no manpages for multiple binaries References: <54F486D9.3030801@bluegap.ch> Message-ID: Processing commands for control at bugs.debian.org: > forwarded 779563 http://permalink.gmane.org/gmane.games.flightgear.devel/76775 Bug #779563 [flightgear] flightgear: no manpages for multiple binaries Set Bug forwarded-to-address to 'http://permalink.gmane.org/gmane.games.flightgear.devel/76775'. > thx Unknown command or malformed arguments to command. > End of message, stopping processing here. Please contact me if you need assistance. -- 779563: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779563 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From markus at bluegap.ch Wed Mar 18 09:20:05 2015 From: markus at bluegap.ch (Markus Wanner) Date: Wed, 18 Mar 2015 10:20:05 +0100 Subject: [pkg-fgfs-crew] Bug#780712: flightgear: permissive file access allowed from nasal Message-ID: <55094345.90501@bluegap.ch> Package: flightgear Version: 3.0.0-1 Severity: grave Tags: security Upstream has reported two related security issues in how FlightGear restricts what files Nasal (its built-in scripting language for aircraft) can access. This bug is tracking the portion related to the flightgear source package: -fgValidatePath uses a property listener to do the checking, and while io.nas blocks direct removal of that listener, this can be bypassed by deleting the entire property node. Effect: Can read or write any file as the user (= arbitrary code execution). Fix: flightgear 6a30e7086ea2f1a060dd77dab6e7e8a15b43e82d Regards Markus Wanner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1513 bytes Desc: OpenPGP digital signature URL: From markus at bluegap.ch Wed Mar 18 09:43:17 2015 From: markus at bluegap.ch (Markus Wanner) Date: Wed, 18 Mar 2015 10:43:17 +0100 Subject: [pkg-fgfs-crew] Bug#780716: flightgear-data: nasal scripts can ready any file Message-ID: <550948B5.7050500@bluegap.ch> Package: flightgear-data Version: 3.0.0-1 Severity: grave Tags: security Upstream has reported two related security issues in how FlightGear restricts what files Nasal (its built-in scripting language for aircraft) can access. This bug is tracking the portion related to the flightgear-data package. -The allowed directories for reading include FG_SCENERY, which can be changed from Nasal via /sim/terrasync/scenery-dir. Effect: Can read any file as the user. Fix: fgdata 60da2094252cee1a5cdfe737f29becd5c6800549 Regards Markus Wanner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1513 bytes Desc: OpenPGP digital signature URL: From ftpmaster at ftp-master.debian.org Wed Mar 18 10:38:38 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 18 Mar 2015 10:38:38 +0000 Subject: [pkg-fgfs-crew] Processing of flightgear_3.0.0-5_amd64.changes Message-ID: flightgear_3.0.0-5_amd64.changes uploaded successfully to localhost along with the files: flightgear_3.0.0-5.dsc flightgear_3.0.0-5.debian.tar.xz flightgear_3.0.0-5_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From markus_wanner-guest at moszumanska.debian.org Wed Mar 18 10:44:44 2015 From: markus_wanner-guest at moszumanska.debian.org (Markus Wanner) Date: Wed, 18 Mar 2015 10:44:44 +0000 Subject: [pkg-fgfs-crew] [flightgear-data] 01/01: Fix #780716, a security issue. In-Reply-To: <20150318104443.28131.25602@moszumanska.debian.org> References: <20150318104443.28131.25602@moszumanska.debian.org> Message-ID: This is an automated email from the git hooks/post-receive script. markus_wanner-guest pushed a commit to branch master in repository flightgear-data. commit d8603af7f98a6394442818d823a79b680b1f9e8b Author: Markus Wanner Date: Wed Mar 18 11:43:34 2015 +0100 Fix #780716, a security issue. Add patch 60da20.patch removing FG_SCENERY from the list of allowed directories to disallow nasal scripts from reading any file as the user. Finalize 3.0.0-3 for upload to unstable. --- debian/changelog | 10 +++++++++- debian/patches/60da20.patch | 21 +++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index b5286c9..008a1e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +flightgear-data (3.0.0-3) unstable; urgency=high + + * Add patch 60da20.patch removing FG_SCENERY from the list of + allowed directories to disallow nasal scripts from reading any + file as the user. Closes: #780716. + + -- Markus Wanner Wed, 18 Mar 2015 10:43:34 +0100 + flightgear-data (3.0.0-2) unstable; urgency=medium [ Rebecca N. Palmer ] @@ -6,7 +14,7 @@ flightgear-data (3.0.0-2) unstable; urgency=medium [ Markus Wanner ] * Add patch translation-update-pt.diff. - -- Markus Wanner Mon, 27 Oct 2014 10:37:02 +0100 + -- Markus Wanner Fri, 07 Nov 2014 17:28:09 +0100 flightgear-data (3.0.0-1) unstable; urgency=low diff --git a/debian/patches/60da20.patch b/debian/patches/60da20.patch new file mode 100644 index 0000000..66a691a --- /dev/null +++ b/debian/patches/60da20.patch @@ -0,0 +1,21 @@ +Description: Drop FG_SCENERY from the accepted file access list + The allowed directories for reading include FG_SCENERY, which can + be changed from Nasal via /sim/terrasync/scenery-dir. Effectively + allowing a nasal script to access any file with the user's + permission. +Author: Rebecca N. Palmer +Last-Update: 13-03-2015 +Origin: http://sourceforge.net/p/flightgear/fgdata/ci/60da2094252cee1a5cdfe737f29becd5c6800549 + +diff --git a/Nasal/IOrules b/Nasal/IOrules +index 71d2f67..ddb0189 100644 +--- a/Nasal/IOrules ++++ b/Nasal/IOrules +@@ -28,7 +28,6 @@ + READ ALLOW $FG_ROOT/* + READ ALLOW $FG_HOME/* + READ ALLOW $FG_AIRCRAFT/* +-READ ALLOW $FG_SCENERY/* + + WRITE ALLOW /tmp/*.xml + WRITE ALLOW $FG_HOME/*.sav diff --git a/debian/patches/series b/debian/patches/series index 6bbe4c9..07e8348 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 766251.patch translation-update-pt.diff +60da20.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/flightgear-data.git From ftpmaster at ftp-master.debian.org Wed Mar 18 10:48:52 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 18 Mar 2015 10:48:52 +0000 Subject: [pkg-fgfs-crew] flightgear_3.0.0-5_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Mar 2015 08:45:21 +0100 Source: flightgear Binary: flightgear Architecture: source amd64 Version: 3.0.0-5 Distribution: unstable Urgency: high Maintainer: Debian FlightGear Crew Changed-By: Markus Wanner Description: flightgear - Flight Gear Flight Simulator Closes: 780712 Changes: flightgear (3.0.0-5) unstable; urgency=high . * Add patch 6a30e70.patch to better restrict file access from nasal scripts. Closes: #780712. Checksums-Sha1: dde1ba286fed99df58b2a6ade5e073532e8485b0 3212 flightgear_3.0.0-5.dsc bc7e3dd11a7e6c2ea0fabd3162acf3385b069a7b 28240 flightgear_3.0.0-5.debian.tar.xz c4a7e32c89fe5577df86babd501d82391648fe16 3939052 flightgear_3.0.0-5_amd64.deb Checksums-Sha256: 4b955c7d923300767736aa1e1bf71c1747269daa25ef89f2ce0b6b52b2001df0 3212 flightgear_3.0.0-5.dsc f1dbcacaea90331c0b43c0e14dda42789fcd7a05fa588ae2a57f60b617bde7ed 28240 flightgear_3.0.0-5.debian.tar.xz f811598388f81ce94b46d392e0282fe70aba994b43f1e8192204af3b9beb234d 3939052 flightgear_3.0.0-5_amd64.deb Files: a915e272db48da28642805cff681d091 3212 games extra flightgear_3.0.0-5.dsc 1663c207c39648cb4d01b7a6a68a1656 28240 games extra flightgear_3.0.0-5.debian.tar.xz 9ee6d08ae951f84a0d3227fa020ac806 3939052 games extra flightgear_3.0.0-5_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJVCVPNAAoJEOhoLRs/Memzb4wgAJKQ1BdXlekTRO5K3SyRdICK /B0VdaCcOcsww4YwUsm5Is0aeFsVgifwlp1IYuQwlLGChhOvhhUKOqsPFXT82xCG aoJWdnUZ0mvQq1qbgnXWxmnpVf6xSPVqTMwHPOtSlkPzNTLc8AT9WnTBGObVUIxG 7liBiOXwAYfOc8efpFKkcq5ov4FpTtHDnItD0fBdBAiL70yttW1O7AwlpwGBLm40 tuwxVZd2rOU4RKwX9EJCzDXtwevV3EkXjojTE560GdBXT8b31LM5F3oc+rHQUKtF XFcuXD7r51+WrSTNKLKN/H3jrCqOpTiGA2sXTA5gf0lEhxJvuj56xx16Vm89FpHq cwFlpRIHFO2Bu1HehPSO8iFequjnF9ERrH8oC5SxGQgy0gJa+f/veDnJ94ZPREXX NCjUxbmcy7Ei/SaWZIltJvZKUh9EzgAX/JsioBjYVF7YyV2yodcBV3spBWhVOo2R BhyGIBNefIRDfx4fcoYlY/6p+tuKBw9DbShIRcIsvT8Fetzk2eoDbpFVCLa6Fu1S ub4fuIFxe2inTLWLNyJx3Cl4/FcYVut6R7jWehWxVru6dIlr49/Ev7zLzriY+XP1 XALpTcfE718jSx4/eqtMvO/5JCEsB0ebmjicQFXhtJAY6nUnIPGpQrB6tNMHWvsR xeGvV6FoF95U9AMlO5oz3HFwnB+Sp4IlC1LdiC+uJPHphXFxJvD+UW9iUq7nX4ft k07gFK/zjEcMsUVwEfHjXXOCh0gzijqkCX5pvJpGEYWbZHvru4N7/IbRlC9PCttq CQskY79b4hDWZdCKjTWOhKpfLJLPqgeRZM/mg+3c+OO+X9sTXP+62+SKp31kp8Ad 1xc4qAs+tWUMRlEJ4tVcrD36z76MSEzuY59pfrrj0Awqf5hNuhiOeGSHeSPrPp8+ nzNE/KLaD83HMzUknvzs00ect6SfQBtmeZQ6fP9p940q6HtD+GRPWsQFB3OE80pR DTYc1PHlNcatIgeNg6OHGoBZWATO/LeDHEONTU0lSL92cDDhSaRD41jmgwB5tnVS Kym7Ft9iW8wb7ncp3wCikG3UgNsgw+qdrASVik/dbeN8Ts7DSgtQ3CHokf12wcja 0yWCnnyHpcl6pdfrfTWy8IxCPW7T3eWuXMMFoDnt0k1TKMdvQOfvoy68E0ACRkVs ajy5PLH3BtmYJrXpYcsLM0NObZqPFyAxi2yN9Eib+7HJWNGCP3SkT5qdzON7nL05 ZYfH9J3Tqe585AmjnUWkdkQBtd01d1eJCd549vh4dakgQea3bPeZI+cqRLPgLeCJ oPUX96Wq0XIySd1osnrxbX+nt3cMxlcALCot2qZBdnRYOubqhFkyUbQ6iOoX0qo= =EdMq -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Wed Mar 18 10:48:54 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 18 Mar 2015 10:48:54 +0000 Subject: [pkg-fgfs-crew] Processing of flightgear-data_3.0.0-3_amd64.changes Message-ID: flightgear-data_3.0.0-3_amd64.changes uploaded successfully to localhost along with the files: flightgear-data_3.0.0-3.dsc flightgear-data_3.0.0-3.debian.tar.xz flightgear-data-base_3.0.0-3_all.deb flightgear-data-ai_3.0.0-3_all.deb flightgear-data-aircrafts_3.0.0-3_all.deb flightgear-data-models_3.0.0-3_all.deb flightgear-data-all_3.0.0-3_all.deb fgfs-base_3.0.0-3_all.deb fgfs-aircraft-base_3.0.0-3_all.deb fgfs-models-base_3.0.0-3_all.deb fgfs-scenery-base_3.0.0-3_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From owner at bugs.debian.org Wed Mar 18 10:51:10 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 18 Mar 2015 10:51:10 +0000 Subject: [pkg-fgfs-crew] Bug#780712: marked as done (flightgear: permissive file access allowed from nasal) References: <55094345.90501@bluegap.ch> Message-ID: Your message dated Wed, 18 Mar 2015 10:48:52 +0000 with message-id and subject line Bug#780712: fixed in flightgear 3.0.0-5 has caused the Debian Bug report #780712, regarding flightgear: permissive file access allowed from nasal to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 780712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780712 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Markus Wanner Subject: flightgear: permissive file access allowed from nasal Date: Wed, 18 Mar 2015 10:20:05 +0100 Size: 4518 URL: -------------- next part -------------- An embedded message was scrubbed... From: Markus Wanner Subject: Bug#780712: fixed in flightgear 3.0.0-5 Date: Wed, 18 Mar 2015 10:48:52 +0000 Size: 5818 URL: From ftpmaster at ftp-master.debian.org Wed Mar 18 11:14:10 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 18 Mar 2015 11:14:10 +0000 Subject: [pkg-fgfs-crew] flightgear-data_3.0.0-3_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Mar 2015 10:43:34 +0100 Source: flightgear-data Binary: flightgear-data-base flightgear-data-ai flightgear-data-aircrafts flightgear-data-models flightgear-data-all fgfs-base fgfs-aircraft-base fgfs-models-base fgfs-scenery-base Architecture: source all Version: 3.0.0-3 Distribution: unstable Urgency: high Maintainer: Debian FlightGear Crew Changed-By: Markus Wanner Description: fgfs-aircraft-base - FlightGear aircraft data - transitional dummy package fgfs-base - FlightGear base data - transitional dummy package fgfs-models-base - FlightGear models data - transitional dummy package fgfs-scenery-base - FlightGear scenery data - transitional dummy package flightgear-data-ai - FlightGear Flight Simulator -- standard AI data flightgear-data-aircrafts - FlightGear Flight Simulator -- standard aircraft flightgear-data-all - FlightGear Flight Simulator - virtual package flightgear-data-base - FlightGear Flight Simulator -- base files flightgear-data-models - FlightGear Flight Simulator -- standard models Closes: 780716 Changes: flightgear-data (3.0.0-3) unstable; urgency=high . * Add patch 60da20.patch removing FG_SCENERY from the list of allowed directories to disallow nasal scripts from reading any file as the user. Closes: #780716. Checksums-Sha1: 4f58ace126de0f035dcc8be3859e81942b16758c 3247 flightgear-data_3.0.0-3.dsc 2f0af21f3533fd586e5cf354423ec0ed614654af 6776 flightgear-data_3.0.0-3.debian.tar.xz 6b671731756c66ca87df56ead0730e7d3a64c2ad 565939394 flightgear-data-base_3.0.0-3_all.deb fe36f390b2a51e475aa2e253624a84ceee729ed1 191278434 flightgear-data-ai_3.0.0-3_all.deb 81628f100e5557a55c65f360526c338d36cf1a79 151956316 flightgear-data-aircrafts_3.0.0-3_all.deb c3aef65b2a1c157cf34f10e6df75699b6463162c 92812924 flightgear-data-models_3.0.0-3_all.deb 220b4f87fe83e74adff02fa858a880398506e544 5090 flightgear-data-all_3.0.0-3_all.deb 6d23e39b1f23b621c49c962457ef1213e1fc3332 5046 fgfs-base_3.0.0-3_all.deb b2a38f922b5496e9a087ac70f348b2e374e35bd3 5058 fgfs-aircraft-base_3.0.0-3_all.deb 3af69f1cd088938c1ebc68b861aa8be576cda79e 5050 fgfs-models-base_3.0.0-3_all.deb 568c6f35103acd7c557a1de5c2e7a11407360351 5054 fgfs-scenery-base_3.0.0-3_all.deb Checksums-Sha256: faa9a15ed539ac9b80fe719565f4df692c251c57ad8d14b49b52b4ece5196997 3247 flightgear-data_3.0.0-3.dsc f4a04f773d672bcf50c2ce8dfd24893ed5bffe4c2f39c91a204a81f1a61c6a4d 6776 flightgear-data_3.0.0-3.debian.tar.xz 19906d9258ab1d9766b59d682bfa0f494523f6393c4b29f94f363056aced9836 565939394 flightgear-data-base_3.0.0-3_all.deb 22b7595331bf6f6bb5961266ee3badd3618982d81872b61508c182d4cfacb327 191278434 flightgear-data-ai_3.0.0-3_all.deb 07815b7bcd887757e4e56a90e1d4c3f291229fe26637d2af9b826b6b44beb0d8 151956316 flightgear-data-aircrafts_3.0.0-3_all.deb 3e5368e52f97973cf36ad255d76a55a3707ae82641953ed4d169ded779ca8d5c 92812924 flightgear-data-models_3.0.0-3_all.deb c2635dadc242af2639dfb38974644a57eadca36eb9011310733038fce7e9b272 5090 flightgear-data-all_3.0.0-3_all.deb 6d9efe2383321e7a08d11393754beb9d4484332373994d2f29d9321705388f43 5046 fgfs-base_3.0.0-3_all.deb fcc116f1fb8ed7a0b6fddc6cf2f9c480853a130c68354589062f5c5cd14798d8 5058 fgfs-aircraft-base_3.0.0-3_all.deb a6a41ce789a06622c6e772b87967c8a056932faec4af1c821e66a066e26f1c7a 5050 fgfs-models-base_3.0.0-3_all.deb c268021b1969275cf03772fd9e686f354843c2f79f4e26d827b725ca49381e30 5054 fgfs-scenery-base_3.0.0-3_all.deb Files: cda98c51ddb76f0211edd86d288b9e6e 3247 games extra flightgear-data_3.0.0-3.dsc ff97ec641a9033f6db6d190e74c801cb 6776 games extra flightgear-data_3.0.0-3.debian.tar.xz 49d70c03bc9479acba8458f0c8b23fdb 565939394 games extra flightgear-data-base_3.0.0-3_all.deb f2634f73e2b5ee909726dff2a5eec658 191278434 games extra flightgear-data-ai_3.0.0-3_all.deb 76588a9cf670a8ac8aec0dfb73e45bb2 151956316 games extra flightgear-data-aircrafts_3.0.0-3_all.deb 1c66be38eaa65e2cbcd49cd1662a2017 92812924 games extra flightgear-data-models_3.0.0-3_all.deb 2c8e02499d4905a1bd486778416c3e12 5090 games extra flightgear-data-all_3.0.0-3_all.deb ecfc462d4adf245da825e1e7afca6881 5046 oldlibs extra fgfs-base_3.0.0-3_all.deb af9edfdd8283377810e3a85a2fa0b2cb 5058 oldlibs extra fgfs-aircraft-base_3.0.0-3_all.deb 6db301b28e8cbea1a961fceb385ece4a 5050 oldlibs extra fgfs-models-base_3.0.0-3_all.deb a1dc12b2d76dfdf2bb1b97fb206e996e 5054 oldlibs extra fgfs-scenery-base_3.0.0-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJVCVWdAAoJEOhoLRs/MemzXZYgAOrbRRuBgoD9qVF2ZbD1q/OL Son5x6s7siuMEQYYddG/laYYR+MoUB9qSZEaqE/RmOLJyBnLQoPkXu0xu2KtG7dX psS+BPiH6XTEqiih9Ny5yyM0kdGg+YfS1/0x7VXLSxhigCJFv0QSdt0lUiDADndp G9siG+t6FkfrH3GTiO9Aj6mPQIP6DUfkkL4hDPqaeBsG7r8EQOdhK7B3Yoe0uFZ7 iMuIHLyYyIkOUKbsSdS1aHNyuqDphl9+KbnlziECsIAlem54eALEECpdMgPdrqTJ zcHNwVzhoX9672X44uSORHrsL3Qq7Tt2MFnSHZVLjnj+KbG38Buq8WhZnjbz7JVB VsVdIcreIywYmvSghYqe+pvFyzJMNRFEYcPjVOFTN4pCrar7kYTfpBxoSFQPlm0S S9654MIT+/Jxbyu1kcofG5Nu2nEEkz49uM5Zdw5pPzolP+52oXpsgEH/wuhEVzgE ukz1nYGeBV0AGNPnL0tGqrm89XOP/5DCFvbmuDYcMa4WS4nnW5TQfWFCL2QxTlUK HXmetcqPhSm0TIRU+OTaDebHa2S8FvQ15vmMrFPs07ojyOmFxkmav+6D0sxLmDoE BQd4zukuQzeEP3yOr88efsRVANEhfLbxPA4yOJxYgIfYBzloageCZMRxpJY6D9rs 5UGAdY+4VjsiV7W9MXri5PiUgPB6q6ALcqoWKlbtE5Ze3ycyV2N14q+CtCmcMnSw jxe0/lw4SZUy52q/FzgHreevGaVlmt5D0k6IoG/NRxsIfclVXxivWbTHgl6PKgZF +8bDHC4M9PpFtfE940Bf8h41LcaMzfRYtl+OAh9a0WP8Pja6o2TYQk9AsQmJfFCJ EEq0Rl2a0+9TbNA0iCzW6UePCx+7XFfh+rIYm/6Wpv+QhSsQKH/IO8Jv89YiddVk gzw66m8s/Uhpd9TiacKlT330b+QcnsyNgbzTwPeWgAiGhuRmQK0geso2fPZNYOBj 4eLD3eWXcmBugpnlhsO1R7PrftWuLAGnyuGmAdorTc4+P6jqArxRxtPui7LLfY71 CchR3JFteScRSbLvDRmHAQMITYCVR0I8wy4MXLBETC4Tnva5UvYBO5dvNJc/Vz9t zPrwttkvexTFsYxlpnb5KcA7HqGbXXxvlfdCzRd1YXt5v4DLvCa8rMVlQGCz4BpA fQer6Z/Fkl3G5OFe4e9iP/kU7k/gDsYFHGQqR2h8WUk2+Pd7oxVnozuXcYKzSRfq oFVrn7ns/ZCXuORM9DxziiencEIOyAM2QF3E4Ej7OSkhFIs3FG1fD0NaR+jec0zU 7T9XEySDCCLP7yjWwyRKTCqoI9SwCTJ6HLKLP5WQkSvWYrpJriiB0UjigfPkYVM= =jypk -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Wed Mar 18 11:15:10 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 18 Mar 2015 11:15:10 +0000 Subject: [pkg-fgfs-crew] Bug#780716: marked as done (flightgear-data: nasal scripts can ready any file) References: <550948B5.7050500@bluegap.ch> Message-ID: Your message dated Wed, 18 Mar 2015 11:14:10 +0000 with message-id and subject line Bug#780716: fixed in flightgear-data 3.0.0-3 has caused the Debian Bug report #780716, regarding flightgear-data: nasal scripts can ready any file to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 780716: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780716 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Markus Wanner Subject: flightgear-data: nasal scripts can ready any file Date: Wed, 18 Mar 2015 10:43:17 +0100 Size: 4416 URL: -------------- next part -------------- An embedded message was scrubbed... From: Markus Wanner Subject: Bug#780716: fixed in flightgear-data 3.0.0-3 Date: Wed, 18 Mar 2015 11:14:10 +0000 Size: 8982 URL: From markus at bluegap.ch Fri Mar 20 14:02:18 2015 From: markus at bluegap.ch (Markus Wanner) Date: Fri, 20 Mar 2015 15:02:18 +0100 Subject: [pkg-fgfs-crew] JPEG_FACTORY and CMAKE_SIMGEAR_SHARED in simgear debian/rules In-Reply-To: <19009070.ShZof0ZM7f@saikrishna-hp> References: <2857161.8YQVVQ39YX@saikrishna-hp> <54E756BE.3070207@bluegap.ch> <19009070.ShZof0ZM7f@saikrishna-hp> Message-ID: <550C286A.80906@bluegap.ch> Saikrishna, On 02/22/2015 04:57 PM, Saikrishna Arcot wrote: > Also, the in-progress launcher in Flightgear can be built by adding > qtbase5-dev as a build-dependency. I've built the launcher on Utopic and > it looks nice and is functional. The launcher can be used by running > fgfs --launcher. > > > > With the launcher, the .desktop file could be changed to open the > launcher instead of Flightgear directly. Thanks for your hints. I incorporated both changes in the git repo's experimental branch on alioth. The next upload will use the launcher. Regards Markus Wanner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1513 bytes Desc: OpenPGP digital signature URL: From markus at bluegap.ch Fri Mar 20 14:06:57 2015 From: markus at bluegap.ch (Markus Wanner) Date: Fri, 20 Mar 2015 15:06:57 +0100 Subject: [pkg-fgfs-crew] Backporting 3.4.0 to wheezy / Tightening flightgear's Build-Depends In-Reply-To: <87mw45zkwx.fsf_-_@frougon.crabdance.com> References: <20150218114952.22361.87121@moszumanska.debian.org> <87d257f7f7.fsf@frougon.crabdance.com> <54E4E859.4050609@bluegap.ch> <8761awykx9.fsf@frougon.crabdance.com> <54E7527D.5030501@bluegap.ch> <87mw45zkwx.fsf_-_@frougon.crabdance.com> Message-ID: <550C2981.90805@bluegap.ch> Florent, On 02/22/2015 10:38 PM, Florent Rougon wrote: > You're welcome. Also, backporting flightgear 3.4.0 to wheezy showed that > its Build-Depends could be tightened a bit more: Thanks for figuring this. > - sqlite 3.7.14 or later is required because of sqlite3_close_v2() > (cf. ); > > - the version of hts_engine in wheezy is too old (does not seem to > have HTS_Engine_set_speed()); I don't know the exact minimum version > required, but of course version 1.08 present in sid is OK > (/usr/share/doc/libhtsengine-dev/changelog.gz is very terse). I checked and determined that 1.07 was the first version to sport that specific function, so I set the B-D to >= 1.07~, as we're sure it doesn't work with htsengine older than that. Pushed to alioth, the next upload will feature the changes. > No problem to build simgear and use the flightgear-data/experimental > binary packages as is. flightgear-data-base depends on libjs-jquery-flot > and libjs-leaflet which are not in wheezy. I backported them by means of > a rebuild (which was not fun because of many B-Deps). However, being > arch: all, the packages from sid could probably be used as is. So, you're working on backporting flightgear-3.4 to ... wheezy?!? Regards Markus Wanner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1513 bytes Desc: OpenPGP digital signature URL: From markus at bluegap.ch Fri Mar 20 18:03:32 2015 From: markus at bluegap.ch (Markus Wanner) Date: Fri, 20 Mar 2015 19:03:32 +0100 Subject: [pkg-fgfs-crew] Bug#780867: flightgear: further restrict nasal permissions Message-ID: <550C60F4.6010107@bluegap.ch> Package: flightgear Version: 3.0.0-5 Severity: important Tags: confirmed Hi, as discovered by Adam D. Barratt, FlightGear's script language Nasal could better sandbox the scripts executed: * write access to /tmp/*.xml is likely unneeded, see the upstream discussion, here: http://sourceforge.net/p/flightgear/mailman/message/33619992/ * symlinks are followed, which allows breaking out of the permitted directories with a proper symlink. This mostly serves as a reminder and tracking bug for myself. Regards Markus Wanner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1513 bytes Desc: OpenPGP digital signature URL: From rebecca_palmer at zoho.com Fri Mar 20 19:19:36 2015 From: rebecca_palmer at zoho.com (Rebecca N. Palmer) Date: Fri, 20 Mar 2015 19:19:36 +0000 Subject: [pkg-fgfs-crew] Bug#780867: Bug#780867: flightgear: further restrict nasal permissions In-Reply-To: <550C60F4.6010107@bluegap.ch> References: <550C60F4.6010107@bluegap.ch> Message-ID: <550C72C8.1020200@zoho.com> > * write access to /tmp/*.xml is likely unneeded, Fixed upstream: 51bfdc21e0b4528797697d32664eacb15d297449. > * symlinks are followed As the remaining write-allowed directories are all under ~/.fgfs, not a bug provided Nasal can't create symlinks (which I think it can't). From noreply at release.debian.org Sat Mar 21 16:39:20 2015 From: noreply at release.debian.org (Debian testing watch) Date: Sat, 21 Mar 2015 16:39:20 +0000 Subject: [pkg-fgfs-crew] flightgear-data 3.0.0-3 MIGRATED to testing Message-ID: FYI: The status of the flightgear-data source package in Debian's testing distribution has changed. Previous version: 3.0.0-2 Current version: 3.0.0-3 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From noreply at release.debian.org Sat Mar 21 16:39:20 2015 From: noreply at release.debian.org (Debian testing watch) Date: Sat, 21 Mar 2015 16:39:20 +0000 Subject: [pkg-fgfs-crew] flightgear 3.0.0-5 MIGRATED to testing Message-ID: FYI: The status of the flightgear source package in Debian's testing distribution has changed. Previous version: 3.0.0-4 Current version: 3.0.0-5 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From f.rougon at free.fr Mon Mar 23 11:32:13 2015 From: f.rougon at free.fr (Florent Rougon) Date: Mon, 23 Mar 2015 12:32:13 +0100 Subject: [pkg-fgfs-crew] Backporting 3.4.0 to wheezy / Tightening flightgear's Build-Depends References: <20150218114952.22361.87121@moszumanska.debian.org> <87d257f7f7.fsf@frougon.crabdance.com> <54E4E859.4050609@bluegap.ch> <8761awykx9.fsf@frougon.crabdance.com> <54E7527D.5030501@bluegap.ch> <87mw45zkwx.fsf_-_@frougon.crabdance.com> <550C2981.90805@bluegap.ch> Message-ID: <87iodshruq.fsf@frougon.crabdance.com> Hi Markus, Markus Wanner wrote: [ Concerning tightening of flightgear's Build-Depends ] > Pushed to alioth, the next upload will feature the changes. Saw that, thank you. > So, you're working on backporting flightgear-3.4 to ... wheezy?!? Well, my nephews often play FlightGear on a computer that is still running wheezy, so I backported it for them. The previous versions were trivial (IIRC, the only requirement was to backport a recent enough openscenegraph by simple rebuild), but 3.4 is a bit more tricky because of the aforementioned libraries---hts_engine and sqlite---and the webgui. So I thought I would leave a trace here in case someone wanted to do the same... (this is not targeted at backports.debian.org, as I can't guarantee to apply all security fixes in time to these packages) -- Florent From hertzog at debian.org Mon Mar 23 14:18:12 2015 From: hertzog at debian.org (Raphael Hertzog) Date: Mon, 23 Mar 2015 15:18:12 +0100 Subject: [pkg-fgfs-crew] Bug#780712: squeeze update of flightgear? Message-ID: <20150323141812.GA26584@home.ouaza.com> Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of flightgear: https://security-tracker.debian.org/tracker/source-package/flightgear Would you like to take care of this yourself? We are still understaffed so any help is always highly appreciated. If yes, please follow the workflow we have defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts at lists.debian.org (via a debdiff, or with an URL pointing to the the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Rapha?l Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Rapha?l Hertzog ? Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ From rebecca_palmer at zoho.com Mon Mar 23 19:39:10 2015 From: rebecca_palmer at zoho.com (Rebecca N. Palmer) Date: Mon, 23 Mar 2015 19:39:10 +0000 Subject: [pkg-fgfs-crew] Bug#780712: Bug#780712: squeeze update of flightgear? In-Reply-To: <20150323141812.GA26584@home.ouaza.com> References: <20150323141812.GA26584@home.ouaza.com> Message-ID: <55106BDE.8030707@zoho.com> (Not the maintainer.) That's not the only security issue in squeeze's flightgear: there's also #669024 and #669025 (the reasons there's no flightgear in wheezy). From markus at bluegap.ch Wed Mar 25 08:28:01 2015 From: markus at bluegap.ch (Markus Wanner) Date: Wed, 25 Mar 2015 09:28:01 +0100 Subject: [pkg-fgfs-crew] Bug#780712: squeeze update of flightgear? In-Reply-To: <20150323141812.GA26584@home.ouaza.com> References: <20150323141812.GA26584@home.ouaza.com> Message-ID: <55127191.3070209@bluegap.ch> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Raphael, On 03/23/2015 03:18 PM, Raphael Hertzog wrote: > the Debian LTS team would like to fix the security issues which > are currently open in the Squeeze version of flightgear: > https://security-tracker.debian.org/tracker/source-package/flightgear > > Would you like to take care of this yourself? We are still > understaffed so any help is always highly appreciated. I'm sorry, I don't think I'll have time to work on this, myself. (Nor do I think games are an important part of an LTS distribution. YMMV, of course.) Kind Regards Markus Wanner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJVEnGRAAoJEOhoLRs/Memz1uggAN+kgigCQ7wOZNgqPdLC5YaC rOBmBIUT4xXEIvNz2UTWoywQykHFaoi5od/RvnJIci2Q/pzk/rhZYsUn1D1qf6L2 n53CvzT+gBtzpoTZo0bUr8mcYt9wnX1m2ZEQGKc6SlZo9iRSNYxQ2R7OdQ3icLV3 7RR3o2K8Xx4paEvOZp0WFqq3bvP8ZCa6fO+Ps5/Lcrk4nxmHBUkW85pGBOjv7AfM v4Lw7SQJcp/dztbRr1GzzaHhQ0nMlMy4EOT1auKlEiSKmSorovVzgGeryoQ+Zq0q RJNsED8WxC6HDNsYXZSIDtuIgqwamw86d4Qvt2IfpnUR3LMvyCU+DLh9C0PcqQEj xAiwaLr+hj22pLRwXOd+3JvMeTMTrNuxTuCdAyn83WfuIIumXPpNZT6hEsotTSHj 8eFBww7soY514xEcpxalj6GManbNEO9WPr788I8ogLvL4DndK1sNbB1VLMHk2nyT Bex/v6etT9c+8MKLYA58fFm024rIQl/JuDDOlOCpO1GEW1Z/tQ7xM/M+c7STZwEF lHbB+h84DI8oUuioM4zoYyW56lbo/TBUjvyMi70bt+XvTvT8/vYc193IVWfEe60x jdapqWDXDdVTaiPUIKX5APkjG7iJBBUm5XOgAvy0qUqcRUJDviHX9kMh+SrnwNog S2Wn7NUg4omEJBWYfJJspEgikeZEr+vCtg51SjKhzk5UXJLG55BjQ5RU00mu5qKi llCVZ/P6T9kwfoymB/myGngXxenywOKcJhYHagur0a73BEK4z8tcNA5Rp4HoPBwl GY4avzbx19+AVh8/9DCeAXcz8aSQYch9og9i1BOtExCBraTpvioNuaqKsHjWpvY4 vLXRv5uqxQ6PjjUzwISiPSJE5xHof0Rfu6X5dYw62+AP8Tzu4P5y0txX9xD8lUaV UXKwAQK42qIzAQ+FHkQyMC2EzY6FsSnRYRbZOG22N9UXI0/rhJST9fh1sCWawVef BerjSQWFg5N5bqCxEUziKLu37AD2iEzQ70Vl10tvJIRoeOUSZo6Qgd3M1wyiGGC0 rUDLy5xtU39rnFxg5t5niV/Z0gM3bHCU/RQ+lwtc9kg2fndLPe4BWJ3OCpZlppCC szbA7EuKhPBsTx4qffhO5PXQSdTwVxrZ9JSELqS9s4Qz/dzaBADs1SzGSaLKqOGa unqqtNVsSH2/R9X+E7mB8mToZ8ed+b0t5jZHJxu54qr74AJ2AHYu1JQOp//EOcVT rALaqzY+Uk51ZczVqOnO1wMyR31M9bJv8CIYlEyy6/e9RjVhJ7tUmO91ruGelc0w AoTT1I8Few6qU5KKv+bDHlp7+6ewPNlieGR9222r5l6U0PWPZcNOysSAzt+jOi0= =5PH0 -----END PGP SIGNATURE----- From f.rougon at free.fr Sat Mar 28 11:31:45 2015 From: f.rougon at free.fr (Florent Rougon) Date: Sat, 28 Mar 2015 12:31:45 +0100 Subject: [pkg-fgfs-crew] [PATCH] New patch: remove-slash-tmp-xml-files-from-allowed-paths-list_51bfdc21e0b4528797697d32664eacb15d297449.patch In-Reply-To: References: <550C72C8.1020200@zoho.com> Message-ID: <14a991326ac9430d4d261242858d154d8f74bc9f.1427878221.git.f.rougon@free.fr> Description: Nasal: remove /tmp/*.xml from allowed paths list Appears unused, and shouldn't be used on Windows Author: Rebecca N. Palmer Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/51bfdc21e0b4528797697d32664eacb15d297449/ Forwarded: not-needed Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780867 --- ...list_51bfdc21e0b4528797697d32664eacb15d297449.patch | 18 ++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 19 insertions(+) create mode 100644 debian/patches/remove-slash-tmp-xml-files-from-allowed-paths-list_51bfdc21e0b4528797697d32664eacb15d297449.patch diff --git a/debian/patches/remove-slash-tmp-xml-files-from-allowed-paths-list_51bfdc21e0b4528797697d32664eacb15d297449.patch b/debian/patches/remove-slash-tmp-xml-files-from-allowed-paths-list_51bfdc21e0b4528797697d32664eacb15d297449.patch new file mode 100644 index 0000000..f591b86 --- /dev/null +++ b/debian/patches/remove-slash-tmp-xml-files-from-allowed-paths-list_51bfdc21e0b4528797697d32664eacb15d297449.patch @@ -0,0 +1,18 @@ +Description: Nasal: remove /tmp/*.xml from allowed paths list + Appears unused, and shouldn't be used on Windows +Author: Rebecca N. Palmer +Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/51bfdc21e0b4528797697d32664eacb15d297449/ +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780867 +Last-Update: 2015-03-28 + +--- a/src/Main/util.cxx ++++ b/src/Main/util.cxx +@@ -105,7 +105,6 @@ + exit(-1); + } + } +- write_allowed_paths.push_back("/tmp/*.xml"); + write_allowed_paths.push_back(globals->get_fg_home() + "/*.sav"); + write_allowed_paths.push_back(globals->get_fg_home() + "/*.log"); + write_allowed_paths.push_back(globals->get_fg_home() + "/cache/*"); diff --git a/debian/patches/series b/debian/patches/series index 9208392..f6a254d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 6a30e7.patch +remove-slash-tmp-xml-files-from-allowed-paths-list_51bfdc21e0b4528797697d32664eacb15d297449.patch -- 2.1.4