[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#734830: opu: package mapserver/5.6.5-2+squeeze3

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu

Dear Release Team,

The MapServer project has released stable updates for every major
release from 5.6.x up fixing a security issue which allows a potential
leakage of information through an SQL injection when using TIME
filtering in
conjunction with PostGIS backends. More information can be found in the
dedicated upstream issue: #4834

https://github.com/mapserver/mapserver/issues/4834

I've included the patch for this minor vulnerability from MapServer
5.6.9 in the new mapserver 5.6.5-2+squeeze3. The proposed-update also
includes two fixes for building the package.

The squeeze package contained debhelper.log files in the debian/
directory, which caused problems for clean pbuilder builds so they were
removed. And dpatch insisted in changing the permissions. I've included
these changes in the squeeze package too.

Is this acceptable for upload to squeeze-proposed-updates?

Kind Regards,

Bas

diff -u mapserver-5.6.5/debian/changelog mapserver-5.6.5/debian/changelog
--- mapserver-5.6.5/debian/changelog
+++ mapserver-5.6.5/debian/changelog
@@ -1,3 +1,12 @@
+mapserver (5.6.5-2+squeeze3) oldstable-proposed-updates; urgency=low
+
+  * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
+    msPostGISLayerSetTimeFilter function in mappostgis.c.
+    (closes: #734565)
+  * Remove debhelper log files to allow clean builds.
+
+ -- Bas Couwenberg <sebastic@xs4all.nl>  Fri, 10 Jan 2014 04:21:27 +0100
+
 mapserver (5.6.5-2+squeeze2) stable-security; urgency=high
 
   * Fix possible SQL injection in WFS (CVE-2011-2703).
reverted:
--- mapserver-5.6.5/debian/mapserver-bin.debhelper.log
+++ mapserver-5.6.5.orig/debian/mapserver-bin.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/libmapscript-ruby.debhelper.log
+++ mapserver-5.6.5.orig/debian/libmapscript-ruby.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/cgi-mapserver.debhelper.log
+++ mapserver-5.6.5.orig/debian/cgi-mapserver.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
diff -u mapserver-5.6.5/debian/rules mapserver-5.6.5/debian/rules
--- mapserver-5.6.5/debian/rules
+++ mapserver-5.6.5/debian/rules
@@ -155,6 +155,7 @@
 clean: unpatch clean-first-build
 	dh_testdir
 	dh_prep
+	-$(RM) debian/*.debhelper.log
 	-$(RM) configure-php5-stamp build-php5-stamp install-arch-stamp install-indep-stamp install-php5-stamp
 	[ ! -f Makefile ] || $(MAKE) distclean
 
reverted:
--- mapserver-5.6.5/debian/php5-mapscript.debhelper.log
+++ mapserver-5.6.5.orig/debian/php5-mapscript.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/perl-mapscript.debhelper.log
+++ mapserver-5.6.5.orig/debian/perl-mapscript.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/libmapscript-ruby1.9.1.debhelper.log
+++ mapserver-5.6.5.orig/debian/libmapscript-ruby1.9.1.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/mapserver-doc.debhelper.log
+++ mapserver-5.6.5.orig/debian/mapserver-doc.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
reverted:
--- mapserver-5.6.5/debian/libmapscript-ruby1.8.debhelper.log
+++ mapserver-5.6.5.orig/debian/libmapscript-ruby1.8.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
diff -u mapserver-5.6.5/debian/control mapserver-5.6.5/debian/control
--- mapserver-5.6.5/debian/control
+++ mapserver-5.6.5/debian/control
@@ -2,7 +2,7 @@
 Section: devel
 Priority: optional
 Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
-Uploaders: Francesco Paolo Lovergine <frankie@debian.org>, Alan Boudreault <aboudreault@mapgears.com>
+Uploaders: Francesco Paolo Lovergine <frankie@debian.org>, Alan Boudreault <aboudreault@mapgears.com>, Bas Couwenberg <sebastic@xs4all.nl>
 Standards-Version: 3.9.0
 Build-Depends: debhelper (>= 7), dpatch, libcurl4-gnutls-dev, libpng12-dev, zlib1g-dev (>= 1.1.4),
  libgd2-xpm-dev (>= 2.0.1-10), libfreetype6-dev (>= 2.0.9), libjpeg62-dev, libgdal1-dev (>=1.4.0), libproj-dev,
reverted:
--- mapserver-5.6.5/debian/python-mapscript.debhelper.log
+++ mapserver-5.6.5.orig/debian/python-mapscript.debhelper.log
@@ -1,5 +0,0 @@
-dh_prep
-dh_prep
-dh_prep
-dh_prep
-dh_prep
diff -u mapserver-5.6.5/debian/patches/00list mapserver-5.6.5/debian/patches/00list
--- mapserver-5.6.5/debian/patches/00list
+++ mapserver-5.6.5/debian/patches/00list
@@ -2,0 +3 @@
+cve-2013-7262
only in patch2:
unchanged:
--- mapserver-5.6.5.orig/debian/patches/cve-2013-7262.dpatch
+++ mapserver-5.6.5/debian/patches/cve-2013-7262.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2013-7262.dpatch by Bas Couwenberg <sebastic@xs4all.nl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mapserver~/mappostgis.c mapserver/mappostgis.c
+--- mapserver~/mappostgis.c	2014-01-08 22:42:12.000000000 +0100
++++ mapserver/mappostgis.c	2014-01-08 22:42:18.000000000 +0100
+@@ -2153,6 +2153,11 @@
+     if (!lp || !timestring || !timefield)
+       return MS_FALSE;
+ 
++    if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
++       msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
++       return MS_FALSE;
++    }
++
+     if (strstr(timestring, ",") == NULL && 
+         strstr(timestring, "/") == NULL) /* discrete time */
+       tmpstimestring = strdup(timestring);
Reply to: