Bug 19948 - flightgear issue with nasal scripting language (CVE-2016-9956)
Summary: flightgear issue with nasal scripting language (CVE-2016-9956)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/709841/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-12-14 17:45 CET by David Walser
Modified: 2017-01-09 11:12 CET (History)
6 users (show)

See Also:
Source RPM: flightgear-3.4.0-2.mga5
CVE:
Status comment:


Attachments

Description David Walser 2016-12-14 17:45:23 CET
A CVE has been requested for a security issue fixed upstream in flightgear:
http://openwall.com/lists/oss-security/2016/12/14/11

I'm not sure if there's any relation to the Bug 15809 issue(s).

The upstream commit fixing the issue is linked in the message above.

Debian has backported the patch to 3.0.0, which may be helpful for Mageia 5.
Comment 1 José Jorge 2016-12-14 18:49:26 CET
In MGA5, we have the same 2016.4.2 version in backports.

A 2016.4.3 version was released on 2016/12/06 with other fixes. I suggest we wait for upstream to release 2017.1 version, as the release often.
Comment 2 José Jorge 2016-12-14 19:11:28 CET
I changed my mind, and commited 2016.4.3 release adding the security patch.

I will also push it to MGA5 backports as the security fix.
Comment 3 José Jorge 2016-12-14 23:29:35 CET
The fix for this bug is in cauldron, and was also submitted to backports testing for 5.

How to test : install the 3 RPMS  flightgear flightgear-data and simgear.

RPMS:
flightgear-2016.4.3-1.mga5.x86_64.rpm
flightgear-data-2016.4.3-1.mga5.noarch.rpm
simgear-devel-2016.4.3-1.mga5.x86_64.rpm
simgear-2016.4.3-1.mga5.x86_64.rpm

SRPMS:
flightgear-2016.4.3-1.mga5.srpm
flightgear-data-2016.4.3-1.srpm
simgear-2016.4.3-1.mga5.srpm
Comment 4 José Jorge 2016-12-14 23:32:34 CET
Sysadmins, please remove all 2016.4.2 RPMS from backports testing, as this version supercedes them.
Comment 5 David Walser 2016-12-15 04:08:53 CET
This is a security bug for the flightgear packages that we actually support, and we do have flightgear packaged in Mageia 5, so we need an update for that.  If you want to update the backport package too, you can file a separate bug for that.
Comment 6 Rémi Verschelde 2016-12-15 13:44:39 CET
The patch shouldn't too hard to cherry-pick: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
Comment 7 Rémi Verschelde 2016-12-15 13:46:14 CET
Actually Debian went the easy way:

> Found in version flightgear/3.0.0-5
> Fixed in version flightgear/1:2016.4.3+dfsg-1
Comment 8 David Walser 2016-12-15 14:21:47 CET
If you look at message 5 in the Debian bug, they actually did backport the patch:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114
Comment 9 José Jorge 2016-12-15 17:50:43 CET
(In reply to David Walser from comment #8)
> If you look at message 5 in the Debian bug, they actually did backport the
> patch:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114

Thank you to drive me the right way David ;-)

So I have pushed to updates_testing a patched flightgear 3.4.0-2.1 .

Advisory :

A security bug was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns.

An upstream patch was applied to the Mageia FlightGear package.

Ref: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/

RPMS :
flightgear-3.4.0-2.1.mga5.x86_64.rpm
flightgear-3.4.0-2.1.mga5.i586.rpm

SRPM:
flightgear-3.4.0-2.1.mga5.src.rpm
Comment 10 David Walser 2016-12-15 18:33:26 CET
It didn't build:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20161215164404.zezinho.duvel.22116/log/flightgear-3.4.0-2.1.mga5/build.0.20161215164525.log

It looks like you used the upstream patch rather than the one Debian backported, which I believe will fix this build error.

PS - Please include the Debian bug in your advisory references.
Comment 11 David Walser 2016-12-15 19:02:45 CET
CVE-2016-9956 has been assigned:
http://openwall.com/lists/oss-security/2016/12/15/10
Comment 12 José Jorge 2016-12-15 22:28:58 CET
You are right, I shouldn't commit between beer and whisky ;-)

Advisory :

A security bug CVE-2016-9956 was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns.

The Debian adaptation of upstream patch was applied to the Mageia FlightGear package.

References :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114
http://openwall.com/lists/oss-security/2016/12/15/10

RPMS :
flightgear-3.4.0-2.1.mga5.x86_64.rpm
flightgear-3.4.0-2.1.mga5.i586.rpm

SRPM:
flightgear-3.4.0-2.1.mga5.src.rpm
Comment 13 David Walser 2016-12-22 00:37:01 CET
Debian has issued an advisory for this on December 20:
https://www.debian.org/security/2016/dsa-3742
Comment 14 Lewis Smith 2017-01-02 12:03:45 CET
Testing M5 x64 real hardware, AMD/ATI/Radeon video
You need a lot of time to even poke this.

BEFORE update
Installing just 'flightgear' puuleed in, among other things, the apparently related pkgs:
  fgrun                          3.4.0        1.mga5        x86_64
  flightgear                     3.4.0        2.mga5        x86_64  
  flightgear-data                3.4.0        2.mga5        noarch  
  simgear                        3.4.0        1.mga5        x86_64  
I find the different pkg release versions odd.
This is a huge download, 1Gb -> 1.8Gb on disc.
The Games sub-menu shows 'Flightgear'; & 'Flightgear Launch Control' = fgrun = FlightGear Wizard. Simgear = ?
 $ simgear
 bash: simgear: command not found

Fired up FlightGear, which takes forever while it loads all its data. Tried the 1st step of the suggested Tutorial. It seems to ignore all the keyboard actions it proposes, notably PgUp. But maybe this does work if hit often enough, because things did advance minutely.
Tried Flightgear Wizard to change aircraft. This launches a Log window showing nothing but flickering as if it is trying to show something. Trying 'view' says it is starting Flightgear, but that never appeared.
Gave up. It moves at least.

AFTER update to: flightgear-3.4.0-2.1.mga5
No problems, and happily only Flghtgear itself is involved (no ginormous download); but the resulting version mix is even worse:
 fgrun-3.4.0-1.mga5
 flightgear-3.4.0-2.1.mga5
 flightgear-data-3.4.0-2.mga5
 simgear-3.4.0-1.mga5
Flightgear Wizard behaved as previously, 'view' saying it starts Flightgear which never appears, empty flickering Log window.
Flightgear itself started a bit quicker. Tried the 2nd tutorial step, and again felt that it ignores keyboard commands. But clearly not completely, because the plane ended up taxiing out of control!

This seems to work or not as before the update, so deeming it OK.
Comment 15 claire robinson 2017-01-02 14:01:45 CET
(In reply to Lewis Smith from comment #14)
> because the plane ended up taxiing out of control!

This is the standard behaviour :)
Comment 16 José Jorge 2017-01-08 16:52:06 CET
No 32 bit system to test this update?
Comment 17 Lewis Smith 2017-01-08 20:14:14 CET
Will ask. Advisory from Comment 12 uploaded.
Comment 18 Charles Edwards 2017-01-09 05:34:29 CET
Installed i586 on 32-bit Athlon XP.

Installs and loads without problem but performance is slow, it may need a newer 
faster cpu.

Ok for update.
Comment 19 Lewis Smith 2017-01-09 10:31:39 CET
Thank you Charles. OKing 32-bit, Validating.
Comment 20 Mageia Robot 2017-01-09 11:12:21 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0011.html

Note You need to log in before you can comment on or make changes to this bug.