Mageia Bugzilla – Bug 19948
flightgear issue with nasal scripting language (CVE-2016-9956)
Last modified: 2017-01-09 11:12:21 CET
A CVE has been requested for a security issue fixed upstream in flightgear:
I'm not sure if there's any relation to the Bug 15809 issue(s).
The upstream commit fixing the issue is linked in the message above.
Debian has backported the patch to 3.0.0, which may be helpful for Mageia 5.
In MGA5, we have the same 2016.4.2 version in backports.
A 2016.4.3 version was released on 2016/12/06 with other fixes. I suggest we wait for upstream to release 2017.1 version, as the release often.
I changed my mind, and commited 2016.4.3 release adding the security patch.
I will also push it to MGA5 backports as the security fix.
The fix for this bug is in cauldron, and was also submitted to backports testing for 5.
How to test : install the 3 RPMS flightgear flightgear-data and simgear.
Sysadmins, please remove all 2016.4.2 RPMS from backports testing, as this version supercedes them.
This is a security bug for the flightgear packages that we actually support, and we do have flightgear packaged in Mageia 5, so we need an update for that. If you want to update the backport package too, you can file a separate bug for that.
The patch shouldn't too hard to cherry-pick: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
Actually Debian went the easy way:
> Found in version flightgear/3.0.0-5
> Fixed in version flightgear/1:2016.4.3+dfsg-1
If you look at message 5 in the Debian bug, they actually did backport the patch:
(In reply to David Walser from comment #8)
> If you look at message 5 in the Debian bug, they actually did backport the
Thank you to drive me the right way David ;-)
So I have pushed to updates_testing a patched flightgear 3.4.0-2.1 .
A security bug was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns.
An upstream patch was applied to the Mageia FlightGear package.
It didn't build:
It looks like you used the upstream patch rather than the one Debian backported, which I believe will fix this build error.
PS - Please include the Debian bug in your advisory references.
CVE-2016-9956 has been assigned:
You are right, I shouldn't commit between beer and whisky ;-)
A security bug CVE-2016-9956 was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns.
The Debian adaptation of upstream patch was applied to the Mageia FlightGear package.
Debian has issued an advisory for this on December 20:
Testing M5 x64 real hardware, AMD/ATI/Radeon video
You need a lot of time to even poke this.
Installing just 'flightgear' puuleed in, among other things, the apparently related pkgs:
fgrun 3.4.0 1.mga5 x86_64
flightgear 3.4.0 2.mga5 x86_64
flightgear-data 3.4.0 2.mga5 noarch
simgear 3.4.0 1.mga5 x86_64
I find the different pkg release versions odd.
This is a huge download, 1Gb -> 1.8Gb on disc.
The Games sub-menu shows 'Flightgear'; & 'Flightgear Launch Control' = fgrun = FlightGear Wizard. Simgear = ?
bash: simgear: command not found
Fired up FlightGear, which takes forever while it loads all its data. Tried the 1st step of the suggested Tutorial. It seems to ignore all the keyboard actions it proposes, notably PgUp. But maybe this does work if hit often enough, because things did advance minutely.
Tried Flightgear Wizard to change aircraft. This launches a Log window showing nothing but flickering as if it is trying to show something. Trying 'view' says it is starting Flightgear, but that never appeared.
Gave up. It moves at least.
AFTER update to: flightgear-3.4.0-2.1.mga5
No problems, and happily only Flghtgear itself is involved (no ginormous download); but the resulting version mix is even worse:
Flightgear Wizard behaved as previously, 'view' saying it starts Flightgear which never appears, empty flickering Log window.
Flightgear itself started a bit quicker. Tried the 2nd tutorial step, and again felt that it ignores keyboard commands. But clearly not completely, because the plane ended up taxiing out of control!
This seems to work or not as before the update, so deeming it OK.
(In reply to Lewis Smith from comment #14)
> because the plane ended up taxiing out of control!
This is the standard behaviour :)
No 32 bit system to test this update?
Will ask. Advisory from Comment 12 uploaded.
Installed i586 on 32-bit Athlon XP.
Installs and loads without problem but performance is slow, it may need a newer
Ok for update.
Thank you Charles. OKing 32-bit, Validating.
An update for this issue has been pushed to the Mageia Updates repository.