On 2021-05-31 08:17:25 +0200, Sebastiaan Couwenberg wrote: > On 5/31/21 8:07 AM, Sebastian Ramacher wrote: > > On 2021-05-31 05:38:15 +0200, Sebastiaan Couwenberg wrote: > >> On 5/30/21 9:12 PM, Salvatore Bonaccorso wrote: > >>> Sebastiaan, Sebastian, > >>> > >>> On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote: > >>>> Control: tags -1 - moreinfo > >>>> > >>>> On 5/25/21 9:45 AM, Sebastian Ramacher wrote: > >>>>> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote: > >>>>>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote: > >>>>>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote: > >>>>>>>> Package: release.debian.org > >>>>>>>> Severity: normal > >>>>>>>> User: release.debian....@packages.debian.org > >>>>>>>> Usertags: unblock > >>>>>>>> > >>>>>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported > >>>>>>>> in #988208. > >>>>>>>> > >>>>>>>> [ Reason ] > >>>>>>>> Fix security issue. > >>>>>>>> > >>>>>>>> [ Impact ] > >>>>>>>> Unfixed security issue. > >>>>>>>> > >>>>>>>> [ Tests ] > >>>>>>>> Upstream CI. > >>>>>>>> > >>>>>>>> [ Risks ] > >>>>>>>> Low, leaf package. > >>>>>>>> > >>>>>>>> [ Checklist ] > >>>>>>>> [x] all changes are documented in the d/changelog > >>>>>>>> [x] I reviewed all changes and I approve them > >>>>>>>> [x] attach debdiff against the package in testing > >>>>>>>> > >>>>>>>> [ Other info ] > >>>>>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is > >>>>>>>> required as a dependency of > >>>>>>>> 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch. > >>>>>>>> > >>>>>>>> unblock mapserver/7.6.2-2 > >>>>>>> > >>>>>>>> diff -Nru mapserver-7.6.2/debian/changelog > >>>>>>>> mapserver-7.6.2/debian/changelog > >>>>>>>> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 > >>>>>>>> +0100 > >>>>>>>> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 > >>>>>>>> +0200 > >>>>>>>> @@ -1,3 +1,12 @@ > >>>>>>>> +mapserver (7.6.2-2) unstable; urgency=high > >>>>>>>> + > >>>>>>>> + * Drop unused lintian overrides. > >>>>>>>> + * Add upstream patches to fix CVE-2021-32062. > >>>>>>>> + (closes: #988208) > >>>>>>>> + * Update symbols file. > >>>>>>>> + > >>>>>>>> + -- Bas Couwenberg <sebas...@debian.org> Sat, 08 May 2021 07:12:18 > >>>>>>>> +0200 > >>>>>>>> + > >>>>>>>> mapserver (7.6.2-1) unstable; urgency=medium > >>>>>>>> > >>>>>>>> * Update symbols for other architectures. > >>>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides > >>>>>>>> mapserver-7.6.2/debian/libmapserver2.lintian-overrides > >>>>>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides > >>>>>>>> 2020-08-06 05:34:57.000000000 +0200 > >>>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides > >>>>>>>> 1970-01-01 01:00:00.000000000 +0100 > >>>>>>>> @@ -1,3 +0,0 @@ > >>>>>>>> -# Cannot easily be fixed > >>>>>>>> -file-references-package-build-path * > >>>>>>>> - > >>>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols > >>>>>>>> mapserver-7.6.2/debian/libmapserver2.symbols > >>>>>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 > >>>>>>>> 06:00:39.000000000 +0100 > >>>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 > >>>>>>>> 07:11:08.000000000 +0200 > >>>>>>>> @@ -945,6 +945,7 @@ > >>>>>>>> msCSVJoinPrepare@Base 6.2.1 > >>>>>>>> msCairoCleanup@Base 6.2.1 > >>>>>>>> msCalculateScale@Base 6.2.1 > >>>>>>>> + msCaseEvalRegex@Base 7.6.2 > >>>>>>>> msCaseReplaceSubstring@Base 6.2.1 > >>>>>>>> msCheckLabelMinDistance@Base 7.0.0 > >>>>>>>> msCheckParentPointer@Base 6.2.1 > >>>>>>>> @@ -1418,6 +1419,7 @@ > >>>>>>>> msIsGlyphASpace@Base 7.2.0 > >>>>>>>> msIsLayerQueryable@Base 6.2.1 > >>>>>>>> msIsOuterRing@Base 6.2.1 > >>>>>>>> + msIsValidRegex@Base 7.6.2 > >>>>>>> > >>>>>>> This version is not high enough. The symbols need to be marked as > >>>>>>> requiring 7.6.2-2~ > >>>>>> > >>>>>> There are no rdeps of mapserver in Debian, so no users of the symbols > >>>>>> file. > >>>>> > >>>>> It's technically wrong. If you introduce symbols with a patch, the > >>>>> symbols need to be properly versioned. After all, there is a user of the > >>>>> symbols file and that is mapserver itself. If you have to introduce > >>>>> calls to those two symbols outside of libmapserver in the next patch, > >>>>> the dependency on libmapserver is wrong. > >>>> > >>>> libmapserver-dev already depends on libmapserver2 with (= > >>>> ${binary:Version}). > >>>> > >>>> None of the other binary packages require symbols introduced after 7.0.5. > >>>> > >>>> All the code using msCaseEvalRegex & msIsValidRegex is within > >>>> libmapserver itself. > >>>> > >>>> While strictly speaking the version in the symbols file should include > >>>> the revision, its not required in this case because nothing outside > >>>> libmapserver uses it. > >>>> > >>>>>>> Please remove the moreinfo tag once that fixed version is available in > >>>>>>> unstable. > >>>>>> > >>>>>> mapserver (7.6.2-2) has been uploaded to unstable without further > >>>>>> changes to the symbols file. > >>>>> > >>>>> Again, please remove the moreinfo tag only once a fixed version is > >>>>> available in unstable. > >>>> > >>>> There is no need for further changes in unstable. > >>> > >>> Sebastian (the release team member), is there anything from the above > >>> which you still want the maintainer to be adressed? Sebastiaan, my > >>> unerstanding is that Sebastian wuld like to see the above changes done > >>> for mapserver to be unblocked. > >> > >> That's my understanding too, but the additional information provided > >> should make clear that those changes are not required. > > > > I think I said it twice (from #988224#24): > > There is no message #24 in #988224.
Sorry, #26: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224#26 > > >>>> Please remove the moreinfo tag once that fixed version is available in > >>>> unstable. > >>> > >>> mapserver (7.6.2-2) has been uploaded to unstable without further > >>> changes to the symbols file. > >> > >> Again, please remove the moreinfo tag only once a fixed version is > >> available in unstable. > > > > I want these symbols fixed. > > There is no need for that. > > Perhaps we should just close this issue as wontfix, I'm not going to > change the symbols version for pedantic reasons. If you are unwilling to fix a potential RC bug waiting to happen, then yes, let's close it. Cheers > > Kind Regards, > > Bas > > -- > GPG Key ID: 4096R/6750F10AE88D4AF1 > Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 > -- Sebastian Ramacher
signature.asc
Description: PGP signature