A CVE has been requested for a security issue fixed upstream in flightgear: http://openwall.com/lists/oss-security/2016/12/14/11 I'm not sure if there's any relation to the Bug 15809 issue(s). The upstream commit fixing the issue is linked in the message above. Debian has backported the patch to 3.0.0, which may be helpful for Mageia 5.
CC: (none) => rverscheldeWhiteboard: (none) => MGA5TOO
In MGA5, we have the same 2016.4.2 version in backports. A 2016.4.3 version was released on 2016/12/06 with other fixes. I suggest we wait for upstream to release 2017.1 version, as the release often.
I changed my mind, and commited 2016.4.3 release adding the security patch. I will also push it to MGA5 backports as the security fix.
Status: NEW => ASSIGNED
The fix for this bug is in cauldron, and was also submitted to backports testing for 5. How to test : install the 3 RPMS flightgear flightgear-data and simgear. RPMS: flightgear-2016.4.3-1.mga5.x86_64.rpm flightgear-data-2016.4.3-1.mga5.noarch.rpm simgear-devel-2016.4.3-1.mga5.x86_64.rpm simgear-2016.4.3-1.mga5.x86_64.rpm SRPMS: flightgear-2016.4.3-1.mga5.srpm flightgear-data-2016.4.3-1.srpm simgear-2016.4.3-1.mga5.srpm
Keywords: (none) => BackportCC: (none) => lists.jjorgeComponent: Security => BackportsVersion: Cauldron => 5Assignee: lists.jjorge => qa-bugsSource RPM: flightgear-2016-4.2-2.mga6.src.rpm => flightgear-2016-4.1-1.1.mga.src.rpmWhiteboard: MGA5TOO => (none)
Sysadmins, please remove all 2016.4.2 RPMS from backports testing, as this version supercedes them.
This is a security bug for the flightgear packages that we actually support, and we do have flightgear packaged in Mageia 5, so we need an update for that. If you want to update the backport package too, you can file a separate bug for that.
CC: (none) => qa-bugsComponent: Backports => SecurityAssignee: qa-bugs => lists.jjorge
Source RPM: flightgear-2016-4.1-1.1.mga.src.rpm => flightgear-3.4.0-2.mga5
The patch shouldn't too hard to cherry-pick: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
Actually Debian went the easy way: > Found in version flightgear/3.0.0-5 > Fixed in version flightgear/1:2016.4.3+dfsg-1
If you look at message 5 in the Debian bug, they actually did backport the patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114
(In reply to David Walser from comment #8) > If you look at message 5 in the Debian bug, they actually did backport the > patch: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114 Thank you to drive me the right way David ;-) So I have pushed to updates_testing a patched flightgear 3.4.0-2.1 . Advisory : A security bug was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns. An upstream patch was applied to the Mageia FlightGear package. Ref: https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/ RPMS : flightgear-3.4.0-2.1.mga5.x86_64.rpm flightgear-3.4.0-2.1.mga5.i586.rpm SRPM: flightgear-3.4.0-2.1.mga5.src.rpm
Keywords: Backport => (none)
Assignee: lists.jjorge => qa-bugs
It didn't build: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20161215164404.zezinho.duvel.22116/log/flightgear-3.4.0-2.1.mga5/build.0.20161215164525.log It looks like you used the upstream patch rather than the one Debian backported, which I believe will fix this build error. PS - Please include the Debian bug in your advisory references.
Assignee: qa-bugs => lists.jjorge
CVE-2016-9956 has been assigned: http://openwall.com/lists/oss-security/2016/12/15/10
Summary: flightgear issue with nasal scripting language => flightgear issue with nasal scripting language (CVE-2016-9956)
You are right, I shouldn't commit between beer and whisky ;-) Advisory : A security bug CVE-2016-9956 was found in all FlightGear versions since 2009, that allow an attacker to overwrite any file the flightgear user owns. The Debian adaptation of upstream patch was applied to the Mageia FlightGear package. References : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848114 http://openwall.com/lists/oss-security/2016/12/15/10 RPMS : flightgear-3.4.0-2.1.mga5.x86_64.rpm flightgear-3.4.0-2.1.mga5.i586.rpm SRPM: flightgear-3.4.0-2.1.mga5.src.rpm
Debian has issued an advisory for this on December 20: https://www.debian.org/security/2016/dsa-3742
URL: (none) => https://lwn.net/Vulnerabilities/709841/
Testing M5 x64 real hardware, AMD/ATI/Radeon video You need a lot of time to even poke this. BEFORE update Installing just 'flightgear' puuleed in, among other things, the apparently related pkgs: fgrun 3.4.0 1.mga5 x86_64 flightgear 3.4.0 2.mga5 x86_64 flightgear-data 3.4.0 2.mga5 noarch simgear 3.4.0 1.mga5 x86_64 I find the different pkg release versions odd. This is a huge download, 1Gb -> 1.8Gb on disc. The Games sub-menu shows 'Flightgear'; & 'Flightgear Launch Control' = fgrun = FlightGear Wizard. Simgear = ? $ simgear bash: simgear: command not found Fired up FlightGear, which takes forever while it loads all its data. Tried the 1st step of the suggested Tutorial. It seems to ignore all the keyboard actions it proposes, notably PgUp. But maybe this does work if hit often enough, because things did advance minutely. Tried Flightgear Wizard to change aircraft. This launches a Log window showing nothing but flickering as if it is trying to show something. Trying 'view' says it is starting Flightgear, but that never appeared. Gave up. It moves at least. AFTER update to: flightgear-3.4.0-2.1.mga5 No problems, and happily only Flghtgear itself is involved (no ginormous download); but the resulting version mix is even worse: fgrun-3.4.0-1.mga5 flightgear-3.4.0-2.1.mga5 flightgear-data-3.4.0-2.mga5 simgear-3.4.0-1.mga5 Flightgear Wizard behaved as previously, 'view' saying it starts Flightgear which never appears, empty flickering Log window. Flightgear itself started a bit quicker. Tried the 2nd tutorial step, and again felt that it ignores keyboard commands. But clearly not completely, because the plane ended up taxiing out of control! This seems to work or not as before the update, so deeming it OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
(In reply to Lewis Smith from comment #14) > because the plane ended up taxiing out of control! This is the standard behaviour :)
No 32 bit system to test this update?
Will ask. Advisory from Comment 12 uploaded.
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Installed i586 on 32-bit Athlon XP. Installs and loads without problem but performance is slow, it may need a newer faster cpu. Ok for update.
CC: (none) => cae
Thank you Charles. OKing 32-bit, Validating.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0011.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED