- Backport commits 0ba2ac31 and 1ad2bf44 (fixes for CVE-2017-13709)

- Rename patch patch-src-Autopilot-route_mgr.cxx to a more explicit name

Reported by:	Florent Rougon <f.rougon@free.fr>

3 files changed, 130 insertions, 1 deletions

diff --git a/games/flightgear/Makefile b/games/flightgear/Makefile
index 23ad960126a4..539bc36b24e9 100644
--- a/games/flightgear/Makefile
+++ b/games/flightgear/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	flightgear
 PORTVERSION=	2017.1.3
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	games
 MASTER_SITES=	SF/flightgear/release-${PORTVERSION:R}
 
diff --git a/games/flightgear/files/patch-CVE-2017-13709.txt b/games/flightgear/files/patch-CVE-2017-13709.txt
new file mode 100644
index 000000000000..48edddc00d34
--- /dev/null
+++ b/games/flightgear/files/patch-CVE-2017-13709.txt
@@ -0,0 +1,129 @@
+Backport of commits 0ba2ac31 and 1ad2bf44
+
+Fixes CVE-2017-13709.
+
+--- src/Main/fg_init.cxx.orig
++++ src/Main/fg_init.cxx
+@@ -1090,7 +1090,12 @@ void fgStartNewReset()
+     fgInitGeneral(); // all of this?
+     
+     flightgear::Options::sharedInstance()->processOptions();
+-    
++
++    // Rebuild the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // PRESERVED properties over-write state from options, intentionally
+     if ( copyProperties(preserved, globals->get_props()) ) {
+         SG_LOG( SG_GENERAL, SG_INFO, "Preserved state restored successfully" );
+--- src/Main/main.cxx.orig
++++ src/Main/main.cxx
+@@ -536,7 +536,12 @@ int fgMainInit( int argc, char **argv )
+     } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+         return EXIT_SUCCESS;
+     }
+-    
++
++    // Set the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // Initialize the Window/Graphics environment.
+     fgOSInit(&argc, argv);
+     _bootstrap_OSInit++;
+--- src/Scripting/NasalSys.cxx.orig
++++ src/Scripting/NasalSys.cxx
+@@ -909,10 +909,6 @@ void FGNasalSys::init()
+       .member("simulatedTime", &TimerObj::isSimTime, &f_timerObj_setSimTime)
+       .member("isRunning", &TimerObj::isRunning);
+ 
+-
+-    // Set allowed paths for Nasal I/O
+-    fgInitAllowedPaths();
+-    
+     // Now load the various source files in the Nasal directory
+     simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+     loadScriptDirectory(nasalDir);
+--- src/Main/logger.cxx.orig
++++ src/Main/logger.cxx
+@@ -9,12 +9,17 @@
+ 
+ #include "logger.hxx"
+ 
+-#include <fstream>
++#include <ios>
+ #include <string>
++#include <cstdlib>
+ 
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/io/iostreams/sgstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::endl;
+@@ -59,6 +64,25 @@ FGLogger::init ()
+         child->setStringValue("filename", filename.c_str());
+     }
+ 
++    // Security: the path comes from the global Property Tree; it *must* be
++    //           validated before we overwrite the file.
++    const SGPath authorizedPath = fgValidatePath(SGPath::fromUtf8(filename),
++                                                 /* write */ true);
++
++    if (authorizedPath.isNull()) {
++      const string propertyPath = child->getChild("filename")
++                                       ->getPath(/* simplify */ true);
++      const string msg =
++        "The FGLogger logging system, via the '" + propertyPath + "' property, "
++        "was asked to write to '" + filename + "', however this path is not "
++        "authorized for writing anymore for security reasons. " +
++        "Please choose another location, for instance in the $FG_HOME/Export "
++        "folder (" + (globals->get_fg_home() / "Export").utf8Str() + ").";
++
++      SG_LOG(SG_GENERAL, SG_ALERT, msg);
++      exit(EXIT_FAILURE);
++    }
++
+     string delimiter = child->getStringValue("delimiter");
+     if (delimiter.empty()) {
+         delimiter = ",";
+@@ -68,7 +92,8 @@ FGLogger::init ()
+     log.interval_ms = child->getLongValue("interval-ms");
+     log.last_time_ms = globals->get_sim_time_sec() * 1000;
+     log.delimiter = delimiter.c_str()[0];
+-    log.output = new std::ofstream(filename.c_str());
++    // Security: use the return value of fgValidatePath()
++    log.output = new sg_ofstream(authorizedPath, std::ios_base::out);
+     if (!log.output) {
+       SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+       continue;
+--- src/Main/logger.hxx.orig
++++ src/Main/logger.hxx
+@@ -6,10 +6,10 @@
+ #ifndef __LOGGER_HXX
+ #define __LOGGER_HXX 1
+ 
+-#include <iosfwd>
+ #include <vector>
+ 
+ #include <simgear/compiler.h>
++#include <simgear/io/iostreams/sgstream.hxx>
+ #include <simgear/structure/subsystem_mgr.hxx>
+ #include <simgear/props/props.hxx>
+ 
+@@ -39,7 +39,7 @@ private:
+     Log ();
+     virtual ~Log ();
+     std::vector<SGPropertyNode_ptr> nodes;
+-    std::ostream * output;
++    sg_ofstream * output;
+     long interval_ms;
+     double last_time_ms;
+     char delimiter;
diff --git a/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx b/games/flightgear/files/patch-CVE-2017-8921.txt
index f348bf580084..f348bf580084 100644
--- a/games/flightgear/files/patch-src-Autopilot-route_mgr.cxx
+++ b/games/flightgear/files/patch-CVE-2017-8921.txt