21623 – flightgear new security issue CVE-2017-13709

Bug 21623 - flightgear new security issue CVE-2017-13709

Summary: flightgear new security issue CVE-2017-13709

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2017-08-28 01:31 CEST by David Walser
Modified:	2017-10-09 11:51 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	flightgear-2017.2.1-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-08-28 01:31:39 CEST

Upstream has issued an advisory today (August 27):
http://openwall.com/lists/oss-security/2017/08/27/1

Patches are included in the message above, as are tips on backporting them to older versions.

Mageia 5 and Mageia 6 are also affected.

David Walser 2017-08-28 01:31:46 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-09-18 13:57:19 CEST

Fedora has issued advisories for this on September 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WUJXZ4XJWAFRNHBRBSX3GHY4VKXCJUQ7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y2V6NPR2KZKFONPHWPGYGEU4FLVNXCZZ/

David Walser 2017-10-04 18:34:08 CEST

CC: (none) => lists.jjorge

Comment 2 José Jorge 2017-10-04 18:47:48 CEST

As this is a simulation that is played online, I'd like to push the 2017.3.1 version as fix. Ok?

José Jorge 2017-10-04 19:08:59 CEST

Assignee: rverschelde => lists.jjorge

Comment 3 David Walser 2017-10-04 20:06:59 CEST

Fine with me.  Thanks.

Comment 4 José Jorge 2017-10-06 22:21:36 CEST

I have push updates for MGA5 and MGA6.

Suggested advisory :

In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger
subsystem allows one to overwrite any file via a resource that affects
the contents of the global Property Tree.

Mageia provides 2017.3.1 version as a security and bugfix update, allowing to connect to latest multiplayer servers.

Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs

Comment 5 José Jorge 2017-10-06 22:22:26 CEST

Removed Cauldron as the update is done.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 6 José Jorge 2017-10-07 08:51:32 CEST

Tested by myself in a MGA6 64. My usual LFDH airport is Ok, with an Alphajet.

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 7 José Jorge 2017-10-07 20:19:38 CEST

Tested in a MGA5 64 also. Flight with CESSNA in Prague with multiplayer activated, no problem.

How to test : install the 3 RPMS  flightgear flightgear-data and simgear.

RPMS:
flightgear-2017.3.1-1.mgaX.x86_64.rpm
flightgear-data-2017.3.1-1.mgaX.noarch.rpm
simgear-devel-2017.3.1-1.mgaX.x86_64.rpm
simgear-2017.3.1-1.mgaX.x86_64.rpm

SRPMS:
flightgear-2017.3.1-1.mgaX.srpm
flightgear-data-2017.3.1-1.srpm
simgear-2017.3.1-1.mgaX.srpm

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 8 William Kenney 2017-10-07 21:26:23 CEST

Argh!....you guys got to this addictive game before I did. I see no reason to test this in the 32-bit mode. I suggest pushing it along. Thanks

CC: (none) => wilcal.int

Comment 9 PC LX 2017-10-08 01:51:05 CEST

Installed and tested without issues.

Installed the following packages:
lib64fame0.9_1-0.9.1-17.mga5.x86_64
lib64xdg-basedir1-1.2.0-4.mga5.x86_64
xine1.2-common-1.2.6-5.mga5.tainted.x86_64
lib64xine2-1.2.6-5.mga5.tainted.x86_64
lib64openthreads20-3.2.1-3.mga5.x86_64
lib64openscenegraph100-3.2.1-3.mga5.x86_64
lib64plib1-1.8.5-10.mga5.x86_64
lib64flite1-1.4-7.mga5.x86_64
flightgear-data-2017.3.1-1.mga5.noarch
simgear-2017.3.1-1.mga5.x86_64
flightgear-2017.3.1-1.mga5.x86_64

Tested by a short flight and then it crashed (the plain, not the program). The 3D graphics, the audio, all seems OK.

System: Mageia 5, X86_64, Intel CPU, nVidia GPU using proprietary driver nvidia340.

CC: (none) => mageia

Comment 10 Lewis Smith 2017-10-08 11:08:37 CEST

Advisory made from bug title, comments 0, 1, 4, 7.
Validating also.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 11 Mageia Robot 2017-10-09 11:51:58 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0362.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.