Bug#734830: opu: package mapserver/5.6.5-2+squeeze3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu
Dear Release Team,
The MapServer project has released stable updates for every major
release from 5.6.x up fixing a security issue which allows a potential
leakage of information through an SQL injection when using TIME
filtering in
conjunction with PostGIS backends. More information can be found in the
dedicated upstream issue: #4834
https://github.com/mapserver/mapserver/issues/4834
I've included the patch for this minor vulnerability from MapServer
5.6.9 in the new mapserver 5.6.5-2+squeeze3. The proposed-update also
includes two fixes for building the package.
The squeeze package contained debhelper.log files in the debian/
directory, which caused problems for clean pbuilder builds so they were
removed. And dpatch insisted in changing the permissions. I've included
these changes in the squeeze package too.
Is this acceptable for upload to squeeze-proposed-updates?
Kind Regards,
Bas
diff -u mapserver-5.6.5/debian/changelog mapserver-5.6.5/debian/changelog
--- mapserver-5.6.5/debian/changelog
+++ mapserver-5.6.5/debian/changelog
@@ -1,3 +1,12 @@
+mapserver (5.6.5-2+squeeze3) oldstable-proposed-updates; urgency=low
+
+ * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
+ msPostGISLayerSetTimeFilter function in mappostgis.c.
+ (closes: #734565)
+ * Remove debhelper log files to allow clean builds.
+
+ -- Bas Couwenberg <sebastic@xs4all.nl> Fri, 10 Jan 2014 04:21:27 +0100
+
mapserver (5.6.5-2+squeeze2) stable-security; urgency=high
* Fix possible SQL injection in WFS (CVE-2011-2703).
reverted:
--- mapserver-5.6.5/debian/mapserver-bin.debhelper.log
+++ mapserver-5.6.5.orig/debian/mapserver-bin.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/libmapscript-ruby.debhelper.log
+++ mapserver-5.6.5.orig/debian/libmapscript-ruby.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/cgi-mapserver.debhelper.log
+++ mapserver-5.6.5.orig/debian/cgi-mapserver.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
diff -u mapserver-5.6.5/debian/rules mapserver-5.6.5/debian/rules
--- mapserver-5.6.5/debian/rules
+++ mapserver-5.6.5/debian/rules
@@ -155,6 +155,7 @@
clean: unpatch clean-first-build
dh_testdir
dh_prep
+ -$(RM) debian/*.debhelper.log
-$(RM) configure-php5-stamp build-php5-stamp install-arch-stamp install-indep-stamp install-php5-stamp
[ ! -f Makefile ] || $(MAKE) distclean
reverted:
--- mapserver-5.6.5/debian/php5-mapscript.debhelper.log
+++ mapserver-5.6.5.orig/debian/php5-mapscript.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/perl-mapscript.debhelper.log
+++ mapserver-5.6.5.orig/debian/perl-mapscript.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/libmapscript-ruby1.9.1.debhelper.log
+++ mapserver-5.6.5.orig/debian/libmapscript-ruby1.9.1.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/mapserver-doc.debhelper.log
+++ mapserver-5.6.5.orig/debian/mapserver-doc.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/libmapscript-ruby1.8.debhelper.log
+++ mapserver-5.6.5.orig/debian/libmapscript-ruby1.8.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
diff -u mapserver-5.6.5/debian/control mapserver-5.6.5/debian/control
--- mapserver-5.6.5/debian/control
+++ mapserver-5.6.5/debian/control
@@ -2,7 +2,7 @@
Section: devel
Priority: optional
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
-Uploaders: Francesco Paolo Lovergine <frankie@debian.org>, Alan Boudreault <aboudreault@mapgears.com>
+Uploaders: Francesco Paolo Lovergine <frankie@debian.org>, Alan Boudreault <aboudreault@mapgears.com>, Bas Couwenberg <sebastic@xs4all.nl>
Standards-Version: 3.9.0
Build-Depends: debhelper (>= 7), dpatch, libcurl4-gnutls-dev, libpng12-dev, zlib1g-dev (>= 1.1.4),
libgd2-xpm-dev (>= 2.0.1-10), libfreetype6-dev (>= 2.0.9), libjpeg62-dev, libgdal1-dev (>=1.4.0), libproj-dev,
reverted:
--- mapserver-5.6.5/debian/python-mapscript.debhelper.log
+++ mapserver-5.6.5.orig/debian/python-mapscript.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
diff -u mapserver-5.6.5/debian/patches/00list mapserver-5.6.5/debian/patches/00list
--- mapserver-5.6.5/debian/patches/00list
+++ mapserver-5.6.5/debian/patches/00list
@@ -2,0 +3 @@
+cve-2013-7262
only in patch2:
unchanged:
--- mapserver-5.6.5.orig/debian/patches/cve-2013-7262.dpatch
+++ mapserver-5.6.5/debian/patches/cve-2013-7262.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2013-7262.dpatch by Bas Couwenberg <sebastic@xs4all.nl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mapserver~/mappostgis.c mapserver/mappostgis.c
+--- mapserver~/mappostgis.c 2014-01-08 22:42:12.000000000 +0100
++++ mapserver/mappostgis.c 2014-01-08 22:42:18.000000000 +0100
+@@ -2153,6 +2153,11 @@
+ if (!lp || !timestring || !timefield)
+ return MS_FALSE;
+
++ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
++ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
++ return MS_FALSE;
++ }
++
+ if (strstr(timestring, ",") == NULL &&
+ strstr(timestring, "/") == NULL) /* discrete time */
+ tmpstimestring = strdup(timestring);
Reply to: