Headline

CVE-2023-28371: Fix a possible security issue · Stellarium/stellarium@eba61df

In Stellarium through 1.2, attackers can write to files that are typically unintended, such as ones with absolute pathnames or … directory traversal.

1 year ago

CVE

Open in Source

#vulnerability #git

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog

- For
- Enterprise
- Teams
- Startups
- Education
- By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
- Case Studies
- Customer Stories
- Resources
- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections

Pricing
In this repository All GitHub

No suggested jump to results
In this repository All GitHub
In this organization All GitHub
In this repository All GitHub

Stellarium / stellarium Public

Notifications
Fork 644
Star 4.6k

Code
Issues 328
Pull requests 18
Discussions
Actions
Projects 33
Wiki
Security
Insights

Permalink

Browse files

Fix a possible security issue

- disallow overwriting config.ini

Loading branch information

gzotti committed

Mar 4, 2023

1 parent 0c3a256 commit eba61df

Showing 1 changed file with 6 additions and 0 deletions.

6 src/scripting/StelScriptOutput.cpp

Show comments View file

@@ -62,6 +62,12 @@ void StelScriptOutput::saveOutputAs(const QString &name)

const bool okToSaveToAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_write_absolute_path", false).toBool();

if (name.contains(“config.ini”))

{

qWarning() << "SCRIPTING ERROR: You are trying to overwrite config.ini. Ignoring.";

return;

}

if (!okToSaveToAbsolutePath && ((newFileNameInfo.isAbsolute() || (name.contains(“…”))))) // The last condition may include dangerous/malicious paths

{

qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to save to an absolute pathname or move up in directories.";

0 comments on commit eba61df

Please sign in to comment.

Gentoo Linux Security Advisory 202407-18 - A vulnerability has been discovered in Stellarium, which can lead to arbitrary file writes. Versions greater than or equal to 23.1 are affected.

4 months ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux