3rdparty/iaxclient/lib/CMakeLists.txt | 148 87 + 61 - 0 !
3rdparty/iaxclient/lib/audio_encode.c | 8 6 + 2 - 0 !
CMakeLists.txt | 13 13 + 0 - 0 !
CMakeModules/FindGsm.cmake | 88 88 + 0 - 0 !
CMakeModules/FindSpeex.cmake | 87 87 + 0 - 0 !
CMakeModules/FindSpeexdsp.cmake | 88 88 + 0 - 0 !
6 files changed, 369 insertions(+), 63 deletions(-)

 link against system provided libgsm and libspeex.

src/Scripting/NasalSys.cxx | 52 33 + 19 - 0 !
src/Scripting/NasalSys.hxx | 4 3 + 1 - 0 !
2 files changed, 36 insertions(+), 20 deletions(-)

 fix crash with nasal bindings.
 naBindFunction doesn't save the function code to the global
 hash, so pass an explicit context to various 'call' overloads so
 the function can't be GC-ed in between parsing and calling.

src/Instrumentation/tacan.cxx | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix mobile tacan

src/Scripting/NasalSys.cxx | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix hang in nested nasal calls

naCall() increments Nasal's "active threads" count; as Nasal's garbage
collector first asks all other threads to stop and waits for them to
say they have, this can cause a hang when used in a function that was
itself called from Nasal (inner function's GC waiting for outer function
to say it has stopped, outer function waiting for inner function to return).

naCallMethodCtx() doesn't, to avoid exactly this problem.
(simgear simgear/nasal/nasal.h:108)

(Deliberately not changing NasalXMLVisitor: that already uses naSubContext,
another mechanism to do the same thing.)

src/Main/util.cxx | 155 133 + 22 - 0 !
src/Main/util.hxx | 7 6 + 1 - 0 !
src/Scripting/NasalSys.cxx | 3 3 + 0 - 0 !
3 files changed, 142 insertions(+), 23 deletions(-)

 restrict file access for nasal scripts.
 Stop using property listener for fgValidatePath
 .   
 This was insecure: while removelistener() won't remove it, there are
 other ways to remove a listener from Nasal

src/Autopilot/route_mgr.cxx | 21 20 + 1 - 0 !
1 file changed, 20 insertions(+), 1 deletion(-)

 security fix: don't allow the route manager to overwrite arbitrary files
 Since the Save function of the route manager can be triggered from Nasal with
 an arbitrary path, we must check the path before overwriting the file.
 .
 (also add a missing include that is directly needed for this commit)

CMakeLists.txt | 2 2 + 0 - 0 !
utils/fgviewer/CMakeLists.txt | 1 1 + 0 - 0 !
2 files changed, 3 insertions(+)

 fix build failures ('-lx11' missing for fgfs and fgviewer)
 .
 Tested in a jessie amd64 pbuilder chroot.

src/Autopilot/route_mgr.cxx | 19 18 + 1 - 0 !
1 file changed, 18 insertions(+), 1 deletion(-)

 security fix: don't allow overwriting arbitrary files
 the previous fix 280cd523 missed commandSaveFlightPlan
 .
 backported from faf872e7 and fc138213, fixes CVE-2017-8921.

src/Main/fg_init.cxx | 7 6 + 1 - 0 !
src/Main/main.cxx | 7 6 + 1 - 0 !
src/Scripting/NasalSys.cxx | 3 0 + 3 - 0 !
3 files changed, 12 insertions(+), 5 deletions(-)

 call fginitallowedpaths earlier: after options::processoptions
 Call fgInitAllowedPaths() right after Options::processOptions() (which,
 among other things, determines $FG_ROOT and processes
 --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
 more code, such as when initializing subsystems.
 .
 (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)

src/Main/logger.cxx | 27 26 + 1 - 0 !
1 file changed, 26 insertions(+), 1 deletion(-)

 security: don't allow fglogger to overwrite arbitrary files
 Since the paths of files written by FGLogger come from the property
 tree[1], they must be validated before we decide to write to these
 files.
 .
 [1] Except for the "empty" case, which uses the default name
 'fg_log.csv'.
 .
 This fixes CVE-2017-13709.
 .
 (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)