diff -Nru flightgear-3.4.0/debian/changelog flightgear-3.4.0/debian/changelog
--- flightgear-3.4.0/debian/changelog	2016-07-29 04:15:03.000000000 +0000
+++ flightgear-3.4.0/debian/changelog	2020-10-08 19:42:44.000000000 +0000
@@ -1,3 +1,12 @@
+flightgear (3.4.0-3ubuntu1.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Improper Access Control
+    - debian/patches/route-manager-secu-fix-280cd5.patch: don't allow the
+      route manager to overwrite arbitrary files.
+    - CVE-2016-9956
+
+ -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Thu, 08 Oct 2020 19:25:39 +0000
+
 flightgear (3.4.0-3ubuntu1) xenial; urgency=medium
 
   * Fix icon install to fix FlightGear missing from the Software
diff -Nru flightgear-3.4.0/debian/patches/route-manager-secu-fix-280cd5.patch flightgear-3.4.0/debian/patches/route-manager-secu-fix-280cd5.patch
--- flightgear-3.4.0/debian/patches/route-manager-secu-fix-280cd5.patch	1970-01-01 00:00:00.000000000 +0000
+++ flightgear-3.4.0/debian/patches/route-manager-secu-fix-280cd5.patch	2020-10-08 19:25:06.000000000 +0000
@@ -0,0 +1,52 @@
+Description: Security fix: don't allow the route manager to overwrite arbitrary files
+ Since the Save function of the route manager can be triggered from Nasal with
+ an arbitrary path, we must check the path before overwriting the file.
+ .
+ (also add a missing include that is directly needed for this commit)
+Author: Florent Rougon <f.rougon@free.fr>
+Origin: upstream, https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
+
+--- flightgear-3.4.0.orig/src/Autopilot/route_mgr.cxx
++++ flightgear-3.4.0/src/Autopilot/route_mgr.cxx
+@@ -47,6 +47,7 @@
+ #include <simgear/misc/sg_path.hxx>
+ #include <simgear/sg_inlines.h>
+ 
++#include <Main/globals.hxx>
+ #include "Main/fg_props.hxx"
+ #include "Navaids/positioned.hxx"
+ #include <Navaids/waypoint.hxx>
+@@ -57,6 +58,8 @@
+ #include "Airports/runways.hxx"
+ #include <GUI/new_gui.hxx>
+ #include <GUI/dialog.hxx>
++#include <Main/util.hxx>        // fgValidatePath()
++#include <GUI/MessageBox.hxx>
+ 
+ #define RM "/autopilot/route-manager/"
+ 
+@@ -712,7 +715,23 @@ void FGRouteMgr::InputListener::valueCha
+       mgr->loadRoute(path);
+     } else if (!strcmp(s, "@SAVE")) {
+       SGPath path(mgr->_pathNode->getStringValue());
+-      mgr->saveRoute(path);
++      const std::string authorizedPath = fgValidatePath(path.str(),
++                                                        true /* write */);
++
++      if (!authorizedPath.empty()) {
++        mgr->saveRoute(authorizedPath);
++      } else {
++        const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++        std::string msg =
++          "The route manager was asked to write the flightplan to '" +
++          path.str() + "', but this path is not authorized for writing. " +
++          "Please choose another location, for instance in the $FG_HOME/Export "
++          "folder (" + proposedPath.str() + ").";
++
++        SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++        modalMessageBox("FlightGear", "Unable to write to the specified file",
++                        msg);
++      }
+     } else if (!strcmp(s, "@NEXT")) {
+       mgr->jumpToIndex(mgr->currentIndex() + 1);
+     } else if (!strcmp(s, "@PREVIOUS")) {
diff -Nru flightgear-3.4.0/debian/patches/series flightgear-3.4.0/debian/patches/series
--- flightgear-3.4.0/debian/patches/series	2016-07-29 04:15:03.000000000 +0000
+++ flightgear-3.4.0/debian/patches/series	2020-10-08 19:25:06.000000000 +0000
@@ -4,3 +4,4 @@
 spelling.patch
 add-x11-lib.patch
 spelling2.patch
+route-manager-secu-fix-280cd5.patch