Adam,
On 03/20/2015 06:41 PM, Adam D. Barratt wrote:
> Well, they're related to the extent that they suggest potential room to
> tighten up the security fix.
Agreed. I opened #780867 to keep track of this.
> Indeed, I agree that the new version is certainly an improvement over
> the version curr
Adam,
On 03/20/2015 05:19 PM, Adam D. Barratt wrote:
> The latter's potentially a fairly important point. One of the reasons
> that insecure tempfile handling is an issue is that if you write to or
> truncate a file in /tmp and that file is a symlink to another file the
> result can be that the de
Symlinks are followed, but I don't think Nasal can create symlinks (and
if it could, I agree we'd have a bigger problem).
I'm assuming that there's no good reason for anyone ever to be running
flightgear in a privileged context
Agreed: that's one reason I have a 'create an unprivileged user' h
On 2015-03-20 14:09, Markus Wanner wrote:
Control: tags -1 - moreinfo
On 03/18/2015 11:12 PM, Rebecca N. Palmer wrote:
Is untrusted scripts being able to write (not read) /tmp/*.xml a
security or other RC bug (which would require a new upload of
flightgear
_and_ flightgear-data with the obviou
I'm not aware of any that do, but haven't specifically looked.
I now have: as far as I can tell, no Nasal scripts are currently writing
to /tmp, and given that upstream also support Windows, they would
probably consider doing so to be a bug. I'll suggest removing this
upstream, but currently d
Control: tags -1 - moreinfo
On 03/18/2015 11:12 PM, Rebecca N. Palmer wrote:
> Yes, the allowed-paths list is intentionally identical to the
> (post-#780716-fix) Nasal/IOrules: the purpose of this patch is to move
> the checking process to somewhere scripts can't disable.
Good, thanks for confirm
On 18/03/15 21:32, Markus Wanner wrote:
On 03/18/2015 09:09 PM, Adam D. Barratt wrote:
++write_allowed_paths.push_back("/tmp/*.xml");
Is that really intended? (Both the hardcoding of /tmp/ rather than using
something respecting TMPDIR and being allowed to write any ".xml"
there.)
It certa
On 03/18/2015 09:09 PM, Adam D. Barratt wrote:
> Well, not really. A debdiff from which you'd filtered the patch was
> attached, as was the patch. I'm not convinced that actually provided any
> benefit over simply providing the unfiltered debdiff.
I personally always have trouble reading nested di
Control: tags -1 + moreinfo
On Wed, 2015-03-18 at 11:50 +0100, Markus Wanner wrote:
> please unblock the package flightgear-3.0.0-5 as recently uploaded to
> unstable. It fixes a security issue by disallowing nasal scripts to
> access or modify files, see #780712. I kept the packaging changes as
>
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear release team,
please unblock the package flightgear-3.0.0-5 as recently uploaded to
unstable. It fixes a security issue by disallowing nasal scripts to
access or modify files, see #780
10 matches
Mail list logo
