Bugzilla – Bug 1055850
VUL-0: CVE-2017-13709: FlightGear: Incorrect access control in FlightGear
Last modified: 2019-07-11 14:23:51 UTC
CVE-2017-13709 Hi, Please find below the info for CVE-2017-13709. I'm also attaching a patch combining the security fix applied to FlightGear's 'next' branch[1] with its parent commit[2], because [1] requires [2] to work properly. However, I don't expect the combined patch nor [2] to apply cleanly to FlightGear 2017.2 or earlier, because commit [3] introduced changes in the close vicinity of the changes in [2] (two conflicts). If you need to adapt [2] for such releases, just put the fgInitAllowedPaths() call after the one to Options::processOptions() in src/Main/fg_init.cxx[4] and src/Main/main.cxx[5], and you should be good. I will probably backport the needed changes to a few of the last releases in the next days: see the FlightGear release branches at [6]. [1] https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/ [2] https://sourceforge.net/p/flightgear/flightgear/ci/c7a2aef59979af3e9ff22daabb37bdaadb91cd75/ [3] https://sourceforge.net/p/flightgear/flightgear/ci/b2cc191bc665d13f50360e5508234e653669a372/ [4] https://sourceforge.net/p/flightgear/flightgear/ci/next/tree/src/Main/fg_init.cxx#l1147 [5] https://sourceforge.net/p/flightgear/flightgear/ci/next/tree/src/Main/main.cxx#l543 [6] https://sourceforge.net/p/flightgear/flightgear/ref/next/branches/ Now here is the info for CVE-2017-13709: [Suggested description] In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger subsystem allows one to overwrite any file via a resource that affects the contents of the global Property Tree. ------------------------------------------ [Additional Information] In FlightGear before version 2017.3.1, the FGLogger subsystem allows one to overwrite any file the user has write access to (with enough control over the contents to run arbitrary commands if the target file is then executed). A resource such as a malicious third-party aircraft or add-on could exploit this to damage files belonging to the user. The security fix (https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/) requires its parent commit (https://sourceforge.net/p/flightgear/flightgear/ci/c7a2aef59979af3e9ff22daabb37bdaadb91cd75/) to work correctly. We are not aware of any malicious resource exploiting the problem. The fix will be in FlightGear 2017.3.1 (expected in a few days). ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] FlightGear (http://flightgear.org/) ------------------------------------------ [Affected Product Code Base] FlightGear - Affected: releases earlier than 2017.3.1 (at least since version 2.0.0). ------------------------------------------ [Affected Component] source file: src/Main/logger.cxx in the FlightGear repository (https://sourceforge.net/p/flightgear/flightgear/ci/next/tree/src/Main/logger.cxx) executable: fgfs ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [CVE Impact Other] Allows one to overwrite any file the user has write access to, and to control a significant part of the written contents. This leads to code execution using .bashrc and such. ------------------------------------------ [Attack Vectors] Trick users into installing a resource that enables logging to a chosen file, via properties /logging/log/... For instance, a malicious third-party aircraft or add-on could do that (add-ons loaded via 'fgfs --addon=...'). ------------------------------------------ [Reference] https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/ https://sourceforge.net/p/flightgear/flightgear/ci/c7a2aef59979af3e9ff22daabb37bdaadb91cd75/ ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] wkitty42 -- Florent References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13709 http://seclists.org/oss-sec/2017/q3/350
FWIW, can you also set a Maintainer and Bugowner in games/FlightGear ?
Leap 42.3 still has vulnerable version.
This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime
leap 15.0 is fixed