Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
To fix CVE-2017-1000426 an update of mapproxy for stretch has been prepared, but the security team doesn't consider the issue severe enough to warrant a DSA. Is this change okay to upload to proposed-updates? Kind Regards, Bas
diff -Nru mapproxy-1.9.0/debian/changelog mapproxy-1.9.0/debian/changelog --- mapproxy-1.9.0/debian/changelog 2016-08-22 11:56:27.000000000 +0200 +++ mapproxy-1.9.0/debian/changelog 2018-01-07 09:33:15.000000000 +0100 @@ -1,3 +1,11 @@ +mapproxy (1.9.0-3+deb9u1) stretch; urgency=medium + + * Update branch in gbp.conf & Vcs-Git URL. + * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. + Fixes CVE-2017-1000426. + + -- Bas Couwenberg <sebas...@debian.org> Sun, 07 Jan 2018 09:33:15 +0100 + mapproxy (1.9.0-3) unstable; urgency=medium * Add access_contraints patch ignored by .gitignore. diff -Nru mapproxy-1.9.0/debian/control mapproxy-1.9.0/debian/control --- mapproxy-1.9.0/debian/control 2016-08-14 12:48:50.000000000 +0200 +++ mapproxy-1.9.0/debian/control 2018-01-07 09:33:15.000000000 +0100 @@ -37,7 +37,7 @@ xsltproc Standards-Version: 3.9.8 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/mapproxy.git -Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git +Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git -b stretch Homepage: http://mapproxy.org/ X-Python-Version: >= 2.7 diff -Nru mapproxy-1.9.0/debian/gbp.conf mapproxy-1.9.0/debian/gbp.conf --- mapproxy-1.9.0/debian/gbp.conf 2016-08-14 12:48:50.000000000 +0200 +++ mapproxy-1.9.0/debian/gbp.conf 2018-01-07 09:33:15.000000000 +0100 @@ -6,7 +6,7 @@ # The default name for the Debian branch is "master". # Change it if the name is different (for instance, "debian/unstable"). -debian-branch = master +debian-branch = stretch # git-import-orig uses the following names for the upstream tags. # Change the value if you are not using git-import-orig diff -Nru mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch --- mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 2018-01-07 09:33:15.000000000 +0100 @@ -0,0 +1,66 @@ +Description: demo: escape args to avoid XSS + Fixes CVE-2017-1000426, +Author: Oliver Tonnhofer <o...@bogosoft.com> +Origin: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28 + +--- a/mapproxy/service/demo.py ++++ b/mapproxy/service/demo.py +@@ -22,6 +22,7 @@ import os + import pkg_resources + import mimetypes + from collections import defaultdict ++from xml.sax.saxutils import escape + + from mapproxy.config.config import base_config + from mapproxy.compat import PY2 +@@ -108,7 +109,10 @@ class DemoServer(Server): + demo = self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 'WMTS', url) + elif 'tms_capabilities' in req.args: + if 'layer' in req.args and 'srs' in req.args: +- url = '%s/tms/1.0.0/%s/%s'%(req.script_url, req.args['layer'], req.args['srs']) ++ # prevent dir traversal (seems it's not possible with urllib2, but better safe then sorry) ++ layer = req.args['layer'].replace('..', '') ++ srs = req.args['srs'].replace('..', '') ++ url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs) + else: + url = '%s/tms/1.0.0/'%(req.script_url) + capabilities = urllib2.urlopen(url) +@@ -171,14 +175,14 @@ class DemoServer(Server): + def _render_wms_template(self, template, req): + template = get_template(template, default_inherit="demo/static.html") + layer = self.layers[req.args['wms_layer']] +- srs = req.args['srs'] ++ srs = escape(req.args['srs']) + bbox = layer.extent.bbox_for(SRS(srs)) + width = bbox[2] - bbox[0] + height = bbox[3] - bbox[1] + min_res = max(width/256, height/256) + return template.substitute(layer=layer, + image_formats=self.image_formats, +- format=req.args['format'], ++ format=escape(req.args['format']), + srs=srs, + layer_srs=self.layer_srs, + bbox=bbox, +@@ -202,8 +206,8 @@ class DemoServer(Server): + else: + add_res_to_options = False + return template.substitute(layer=tile_layer, +- srs=req.args['srs'], +- format=req.args['format'], ++ srs=escape(req.args['srs']), ++ format=escape(req.args['format']), + resolutions=res, + units=units, + add_res_to_options=add_res_to_options, +@@ -223,8 +227,8 @@ class DemoServer(Server): + units = 'm' + return template.substitute(layer=wmts_layer, + matrix_set=wmts_layer.grid.name, +- format=req.args['format'], +- srs=req.args['srs'], ++ format=escape(req.args['format']), ++ srs=escape(req.args['srs']), + resolutions=wmts_layer.grid.resolutions, + units=units, + all_tile_layers=self.tile_layers, diff -Nru mapproxy-1.9.0/debian/patches/series mapproxy-1.9.0/debian/patches/series --- mapproxy-1.9.0/debian/patches/series 2016-08-22 11:56:27.000000000 +0200 +++ mapproxy-1.9.0/debian/patches/series 2018-01-07 09:33:15.000000000 +0100 @@ -2,3 +2,4 @@ 0001-use-dummy-access_contraints-to-clarify-license.patch disable-tag_date.patch configuration-typo.patch +0001-demo-escape-args-to-avoid-XSS.patch