CVE-2017-8921

Published: 12 May 2017

In FlightGear before 2017.2.1, the FGCommand interface allows overwriting any file the user has write access to, but not with arbitrary data: only with the contents of a FlightGear flightplan (XML). A resource such as a malicious third-party aircraft could exploit this to damage files belonging to the user. Both this issue and CVE-2016-9956 are directory traversal vulnerabilities in Autopilot/route_mgr.cxx - this one exists because of an incomplete fix for CVE-2016-9956.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
flightgear
Launchpad, Ubuntu, Debian
Upstream
Released (2017.2.1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(1:2017.2.1+dfsg-4)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1:2017.2.1+dfsg-4)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:2017.2.1+dfsg-4)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:2017.2.1+dfsg-4)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://sourceforge.net/p/flightgear/flightgear/ci/faf872e7f71ca14c567ac7080561fc785d8d2fd0/
Upstream: https://sourceforge.net/p/flightgear/flightgear/ci/19ab09406e4249f2c6f8ac51938258d1c51eace0/
Upstream: https://sourceforge.net/p/flightgear/flightgear/ci/c8250b10bb9a116889f831d2299678b0ef70fec2/