Bug 15809 - flightgear, flightgear-data new security issues with nasal scripting language
Summary: flightgear, flightgear-data new security issues with nasal scripting language
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: José Jorge
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/642647/
Depends on:
Reported: 2015-04-30 19:47 CEST by David Walser
Modified: 2015-06-20 15:33 CEST (History)
1 user (show)

See Also:
Source RPM: flightgear, flightgear-data
Status comment:


Description David Walser 2015-04-30 19:47:20 CEST
Fedora has issued advisories on April 21:

It's unknown which versions are affected.


Steps to Reproduce:
Comment 1 David Walser 2015-05-02 21:19:57 CEST
flightgear-3.4.0-2.mga5 and flightgear-data-3.4.0-2.mga5 uploaded for Cauldron.

Debian believes older version to be vulnerable:

Version: Cauldron => 4

Rémi Verschelde 2015-06-06 16:18:18 CEST

CC: (none) => lists.jjorge

Comment 2 Rémi Verschelde 2015-06-06 16:22:42 CEST
Fedora did not bother patching FlightGear 2.12.0 in Fedora 20: http://pkgs.fedoraproject.org/cgit/FlightGear.git/log/FlightGear.spec?h=f20

I've had a look at how to patch our flightgear 2.12.1 in Mageia 4, but the involved code changed a lot in the 3.x branch, and I won't be able to make a patch that fixes the security issue without breaking the feature.

The security issue does not seem very critical to me, so I'd be tempted to close this as WONTFIX. WDYT David?
Comment 3 José Jorge 2015-06-06 16:42:38 CEST
I think as we have fgfs 3.x in backports which is working, the better idea would be to provide flightgear-3.4.0-1.mga4 as an update, with simgear and co.

But sorry, no time for that this days (I'm on strike at work ;-).


Comment 4 Rémi Verschelde 2015-06-06 16:47:21 CEST
Yeah that's a possibility too.

Assignee: rverschelde => lists.jjorge

Comment 5 David Walser 2015-06-06 18:12:34 CEST
I'd be OK with not fixing this.
Comment 6 Rémi Verschelde 2015-06-20 15:33:31 CEST
Closing as WONTFIX for now, the FlightGear version in Mageia 4 is now quite old and I'm not sure doing a late update to 3.4.0 would be good for users who play using the old version.

It's still not fixed either in Fedora 20 nor Debian squeeze.

Resolution: (none) => WONTFIX

Note You need to log in before you can comment on or make changes to this bug.