svn commit: r428556 - in head/games/flightgear: . files

Ganael LAPLANCHE martymac at FreeBSD.org
Wed Dec 14 11:12:54 UTC 2016 

Author: martymac
Date: Wed Dec 14 11:12:53 2016
New Revision: 428556
URL: https://svnweb.freebsd.org/changeset/ports/428556

Log:
  Backport security fix 280cd52
  
  Without this fix, a malicious aircraft maintainer can easily overwrite
  arbitrary files the user running FlightGear has write access to.
  
  Reported by:	Florent Rougon <f.rougon at free.fr>
  Security:	https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

Added:
  head/games/flightgear/files/patch-280cd52-src-Autopilot-route_mgr.cxx   (contents, props changed)
Modified:
  head/games/flightgear/Makefile

Modified: head/games/flightgear/Makefile
==============================================================================
--- head/games/flightgear/Makefile	Wed Dec 14 10:19:07 2016	(r428555)
+++ head/games/flightgear/Makefile	Wed Dec 14 11:12:53 2016	(r428556)
@@ -3,6 +3,7 @@
 
 PORTNAME=	flightgear
 PORTVERSION=	2016.4.3
+PORTREVISION=	1
 CATEGORIES=	games
 MASTER_SITES=	SF/flightgear/release-${PORTVERSION:R}
 

Added: head/games/flightgear/files/patch-280cd52-src-Autopilot-route_mgr.cxx
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/games/flightgear/files/patch-280cd52-src-Autopilot-route_mgr.cxx	Wed Dec 14 11:12:53 2016	(r428556)
@@ -0,0 +1,55 @@
+commit 280cd523686fbdb175d50417266d2487a8ce67d2
+Author: Florent Rougon <f.rougon at free.fr>
+Date:   Fri Dec 9 11:29:13 2016 +0100
+
+    Security fix: don't allow the route manager to overwrite any file
+    
+    Since the Save function can be triggered from Nasal with an arbitrary
+    path, we must check this path before overwriting the file.
+    
+    (also add a missing include that is directly needed for this commit)
+
+diff --git src/Autopilot/route_mgr.cxx src/Autopilot/route_mgr.cxx
+index bae5b1d23..901c64e14 100644
+--- src/Autopilot/route_mgr.cxx
++++ src/Autopilot/route_mgr.cxx
+@@ -44,6 +44,7 @@
+ #include <simgear/timing/sg_time.hxx>
+ #include <simgear/sg_inlines.h>
+ 
++#include <Main/globals.hxx>
+ #include "Main/fg_props.hxx"
+ #include "Navaids/positioned.hxx"
+ #include <Navaids/waypoint.hxx>
+@@ -54,6 +55,8 @@
+ #include "Airports/runways.hxx"
+ #include <GUI/new_gui.hxx>
+ #include <GUI/dialog.hxx>
++#include <Main/util.hxx>        // fgValidatePath()
++#include <GUI/MessageBox.hxx>
+ 
+ #define RM "/autopilot/route-manager/"
+ 
+@@ -709,7 +712,21 @@ void FGRouteMgr::InputListener::valueChanged(SGPropertyNode *prop)
+       mgr->loadRoute(path);
+     } else if (!strcmp(s, "@SAVE")) {
+       SGPath path(mgr->_pathNode->getStringValue());
+-      mgr->saveRoute(path);
++      SGPath authorizedPath = fgValidatePath(path, true /* write */);
++
++      if (!authorizedPath.isNull()) {
++        mgr->saveRoute(authorizedPath);
++      } else {
++        std::string msg =
++          "The route manager was asked to write the flightplan to '" +
++          path.utf8Str() + "', but this path is not authorized for writing. " +
++          "Please choose another location, for instance in the $FG_HOME/Export "
++          "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++        SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++        modalMessageBox("FlightGear", "Unable to write to the specified file",
++                        msg);
++      }
+     } else if (!strcmp(s, "@NEXT")) {
+       mgr->jumpToIndex(mgr->currentIndex() + 1);
+     } else if (!strcmp(s, "@PREVIOUS")) {

More information about the svn-ports-head mailing list