Bug 19948

In MGA5, we have the same 2016.4.2 version in backports.

A 2016.4.3 version was released on 2016/12/06 with other fixes. I suggest we wait for upstream to release 2017.1 version, as the release often.

I changed my mind, and commited 2016.4.3 release adding the security patch.

I will also push it to MGA5 backports as the security fix.

Status: NEW => ASSIGNED

The fix for this bug is in cauldron, and was also submitted to backports testing for 5.

How to test : install the 3 RPMS  flightgear flightgear-data and simgear.

RPMS:
flightgear-2016.4.3-1.mga5.x86_64.rpm
flightgear-data-2016.4.3-1.mga5.noarch.rpm
simgear-devel-2016.4.3-1.mga5.x86_64.rpm
simgear-2016.4.3-1.mga5.x86_64.rpm

SRPMS:
flightgear-2016.4.3-1.mga5.srpm
flightgear-data-2016.4.3-1.srpm
simgear-2016.4.3-1.mga5.srpm

Keywords: (none) => Backport
CC: (none) => lists.jjorge
Component: Security => Backports
Version: Cauldron => 5
Assignee: lists.jjorge => qa-bugs
Source RPM: flightgear-2016-4.2-2.mga6.src.rpm => flightgear-2016-4.1-1.1.mga.src.rpm
Whiteboard: MGA5TOO => (none)

Sysadmins, please remove all 2016.4.2 RPMS from backports testing, as this version supercedes them.

This is a security bug for the flightgear packages that we actually support, and we do have flightgear packaged in Mageia 5, so we need an update for that.  If you want to update the backport package too, you can file a separate bug for that.

CC: (none) => qa-bugs
Component: Backports => Security
Assignee: qa-bugs => lists.jjorge

The patch shouldn't too hard to cherry-pick: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

Actually Debian went the easy way:

> Found in version flightgear/3.0.0-5
> Fixed in version flightgear/1:2016.4.3+dfsg-1

If you look at message 5 in the Debian bug, they actually did backport the patch:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114

(In reply to David Walser from comment #8)
> If you look at message 5 in the Debian bug, they actually did backport the
> patch:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114

Thank you to drive me the right way David ;-)

So I have pushed to updates_testing a patched flightgear 3.4.0-2.1 .

Advisory :

A security bug was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns.

An upstream patch was applied to the Mageia FlightGear package.

Ref: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

RPMS :
flightgear-3.4.0-2.1.mga5.x86_64.rpm
flightgear-3.4.0-2.1.mga5.i586.rpm

SRPM:
flightgear-3.4.0-2.1.mga5.src.rpm

Keywords: Backport => (none)

It didn't build:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20161215164404.zezinho.duvel.22116/log/flightgear-3.4.0-2.1.mga5/build.0.20161215164525.log

It looks like you used the upstream patch rather than the one Debian backported, which I believe will fix this build error.

PS - Please include the Debian bug in your advisory references.

Assignee: qa-bugs => lists.jjorge

CVE-2016-9956 has been assigned:
http://openwall.com/lists/oss-security/2016/12/15/10

Summary: flightgear issue with nasal scripting language => flightgear issue with nasal scripting language (CVE-2016-9956)

You are right, I shouldn't commit between beer and whisky ;-)

Advisory :

A security bug CVE-2016-9956 was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns.

The Debian adaptation of upstream patch was applied to the Mageia FlightGear package.

References :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114
http://openwall.com/lists/oss-security/2016/12/15/10

RPMS :
flightgear-3.4.0-2.1.mga5.x86_64.rpm
flightgear-3.4.0-2.1.mga5.i586.rpm

SRPM:
flightgear-3.4.0-2.1.mga5.src.rpm

Debian has issued an advisory for this on December 20:
https://www.debian.org/security/2016/dsa-3742

URL: (none) => https://lwn.net/Vulnerabilities/709841/

Testing M5 x64 real hardware, AMD/ATI/Radeon video
You need a lot of time to even poke this.

BEFORE update
Installing just 'flightgear' puuleed in, among other things, the apparently related pkgs:
  fgrun                          3.4.0        1.mga5        x86_64
  flightgear                     3.4.0        2.mga5        x86_64  
  flightgear-data                3.4.0        2.mga5        noarch  
  simgear                        3.4.0        1.mga5        x86_64  
I find the different pkg release versions odd.
This is a huge download, 1Gb -> 1.8Gb on disc.
The Games sub-menu shows 'Flightgear'; & 'Flightgear Launch Control' = fgrun = FlightGear Wizard. Simgear = ?
 $ simgear
 bash: simgear: command not found

Fired up FlightGear, which takes forever while it loads all its data. Tried the 1st step of the suggested Tutorial. It seems to ignore all the keyboard actions it proposes, notably PgUp. But maybe this does work if hit often enough, because things did advance minutely.
Tried Flightgear Wizard to change aircraft. This launches a Log window showing nothing but flickering as if it is trying to show something. Trying 'view' says it is starting Flightgear, but that never appeared.
Gave up. It moves at least.

AFTER update to: flightgear-3.4.0-2.1.mga5
No problems, and happily only Flghtgear itself is involved (no ginormous download); but the resulting version mix is even worse:
 fgrun-3.4.0-1.mga5
 flightgear-3.4.0-2.1.mga5
 flightgear-data-3.4.0-2.mga5
 simgear-3.4.0-1.mga5
Flightgear Wizard behaved as previously, 'view' saying it starts Flightgear which never appears, empty flickering Log window.
Flightgear itself started a bit quicker. Tried the 2nd tutorial step, and again felt that it ignores keyboard commands. But clearly not completely, because the plane ended up taxiing out of control!

This seems to work or not as before the update, so deeming it OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

(In reply to Lewis Smith from comment #14)
> because the plane ended up taxiing out of control!

This is the standard behaviour :)

No 32 bit system to test this update?

Will ask. Advisory from Comment 12 uploaded.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Installed i586 on 32-bit Athlon XP.

Installs and loads without problem but performance is slow, it may need a newer 
faster cpu.

Ok for update.

CC: (none) => cae

Thank you Charles. OKing 32-bit, Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0011.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED