Dear Security Team, Today the MapServer team has released version 7.0.3 which fixes CVE-2016-9839. To quote the release announcement [0]:
" That issue involves OGR error messages being too verbose in some instances and potentially disclosing sensitive information if the underlying connection fails. In addition we have backported a somewhat similar fix to the 6.x series for PostGIS layers. " I've already updated the package in unstable, and have cherry-picked the commit fixing the issue for OGR & PostGIS layers for the package in jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached debdiffs. The "sensitive information" are the credentials for the database configured in the mapfile which are reported in the error message. If the database is accessible over the network unauthorized users may gain access using the credentials from the error message. An example is provided in the the upstream issue [1] for the PostGIS layer, and similarly affects the OGR layer [2][3]. I don't think the issue is remotely exploitable, unless some way to force the database connection failure to occur is found. As long as the database is only accessible on the localhost, the impact is the issue is limited. Affected versions: * jessie: 6.4.1-5 * wheezy: 6.0.1-3.2+deb7u2 Fixed versions: * jessie: 6.4.1-5+deb8u1 * wheezy: 6.0.1-3.2+deb7u3 Are these changes OK for upload to security-master? [0] https://lists.osgeo.org/pipermail/mapserver-dev/2016-December/014979.html [1] https://github.com/mapserver/mapserver/pull/4928 [2] https://github.com/mapserver/mapserver/pull/5356 [3] http://gis.stackexchange.com/questions/219426/mapserver-hide-ogr-exception Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog --- mapserver-6.0.1/debian/changelog 2014-01-10 04:15:18.000000000 +0100 +++ mapserver-6.0.1/debian/changelog 2016-12-05 23:15:27.000000000 +0100 @@ -1,3 +1,9 @@ +mapserver (6.0.1-3.2+deb7u3) wheezy-security; urgency=high + + * Add upstream patch to fix CVE-2016-9839. + + -- Bas Couwenberg <[email protected]> Mon, 05 Dec 2016 22:19:20 +0100 + mapserver (6.0.1-3.2+deb7u2) stable-proposed-updates; urgency=low * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the diff -Nru mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch --- mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch 2016-12-05 23:15:27.000000000 +0100 @@ -0,0 +1,97 @@ +From 889971607c1d01ff95bc45d1ba44bd92ba5aafb2 Mon Sep 17 00:00:00 2001 +From: Thomas Bonfort <[email protected]> +Date: Thu, 1 Dec 2016 18:59:05 +0100 +Subject: Backport #4928 and #5356 + +--- + mapogr.cpp | 34 ++++++++++++++++++++-------------- + mappostgis.c | 3 ++- + 2 files changed, 22 insertions(+), 15 deletions(-) + +--- a/mapogr.cpp ++++ b/mapogr.cpp +@@ -1408,16 +1408,14 @@ msOGRFileOpen(layerObj *layer, const cha + + if( hDS == NULL ) + { +- if( strlen(CPLGetLastErrorMsg()) == 0 ) +- msSetError(MS_OGRERR, +- "Open failed for OGR connection in layer `%s'. " +- "File not found or unsupported format.", +- "msOGRFileOpen()", +- layer->name?layer->name:"(null)" ); +- else +- msSetError(MS_OGRERR, ++ msSetError(MS_OGRERR, ++ "Open failed for OGR connection in layer `%s'. " ++ "Check logs.", ++ "msOGRFileOpen()", ++ layer->name?layer->name:"(null)" ); ++ if( strlen(CPLGetLastErrorMsg()) != 0 ) ++ msDebug( + "Open failed for OGR connection in layer `%s'.\n%s\n", +- "msOGRFileOpen()", + layer->name?layer->name:"(null)", + CPLGetLastErrorMsg() ); + CPLFree( pszDSName ); +@@ -1467,8 +1465,11 @@ msOGRFileOpen(layerObj *layer, const cha + if( hLayer == NULL ) + { + msSetError(MS_OGRERR, +- "ExecuteSQL(%s) failed.\n%s", ++ "ExecuteSQL(%s) failed. Check logs", + "msOGRFileOpen()", ++ pszLayerDef); ++ msDebug( ++ "ExecuteSQL(%s) failed.\n%s", + pszLayerDef, CPLGetLastErrorMsg() ); + RELEASE_OGR_LOCK; + msConnPoolRelease( layer, hDS ); +@@ -1481,8 +1482,10 @@ msOGRFileOpen(layerObj *layer, const cha + + if (hLayer == NULL) + { +- msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.", ++ msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.", + "msOGRFileOpen()", ++ pszLayerDef); ++ msDebug("GetLayer(%s) failed for OGR connection `%s'.", + pszLayerDef, connection ); + CPLFree( pszLayerDef ); + msConnPoolRelease( layer, hDS ); +@@ -1635,8 +1638,11 @@ static int msOGRFileWhichShapes(layerObj + != OGRERR_NONE ) + { + msSetError(MS_OGRERR, +- "SetAttributeFilter(%s) failed on layer %s.\n%s", ++ "SetAttributeFilter(%s) failed on layer %s.", + "msOGRFileWhichShapes()", ++ layer->filter.string+6, layer->name?layer->name:"(null)"); ++ msDebug( ++ "SetAttributeFilter(%s) failed on layer %s.\n%s", + layer->filter.string+6, layer->name?layer->name:"(null)", + CPLGetLastErrorMsg() ); + RELEASE_OGR_LOCK; +@@ -1852,8 +1858,8 @@ msOGRFileNextShape(layerObj *layer, shap + psInfo->last_record_index_read = -1; + if( CPLGetLastErrorType() == CE_Failure ) + { +- msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()", +- CPLGetLastErrorMsg() ); ++ msSetError(MS_OGRERR, "error. check logs", "msOGRFileNextShape()"); ++ msDebug("%s", CPLGetLastErrorMsg() ); + RELEASE_OGR_LOCK; + return MS_FAILURE; + } +--- a/mappostgis.c ++++ b/mappostgis.c +@@ -2237,7 +2237,8 @@ int msPostGISLayerOpen(layerObj *layer) + } + } + +- msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata); ++ msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata); ++ msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()"); + + free(maskeddata); + free(layerinfo); diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series --- mapserver-6.0.1/debian/patches/series 2014-01-10 03:45:47.000000000 +0100 +++ mapserver-6.0.1/debian/patches/series 2016-12-05 23:15:27.000000000 +0100 @@ -3,3 +3,4 @@ multiarch-libgd contenttype cve-2013-7262 +0001-Backport-4928-and-5356.patch
diff -Nru mapserver-6.4.1/debian/changelog mapserver-6.4.1/debian/changelog --- mapserver-6.4.1/debian/changelog 2014-07-05 17:32:59.000000000 +0200 +++ mapserver-6.4.1/debian/changelog 2016-12-05 23:54:59.000000000 +0100 @@ -1,3 +1,9 @@ +mapserver (6.4.1-5+deb8u1) jessie-security; urgency=high + + * Add upstream patch to fix CVE-2016-9839. + + -- Bas Couwenberg <[email protected]> Mon, 05 Dec 2016 22:05:30 +0100 + mapserver (6.4.1-5) unstable; urgency=medium * Add debug package for libmapserver. Thanks to Frederic Junod for the patch. diff -Nru mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch --- mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch 2016-12-05 23:53:24.000000000 +0100 @@ -0,0 +1,120 @@ +From 022d24bd34196b6dca67053fb797a6980210bc54 Mon Sep 17 00:00:00 2001 +From: Thomas Bonfort <[email protected]> +Date: Thu, 1 Dec 2016 18:59:05 +0100 +Subject: Backport #4928 and #5356 + +--- + mapogr.cpp | 52 ++++++++++++++++++++++++++++------------------------ + mappostgis.c | 4 ++-- + 2 files changed, 30 insertions(+), 26 deletions(-) + +--- a/mapogr.cpp ++++ b/mapogr.cpp +@@ -1118,18 +1118,15 @@ msOGRFileOpen(layerObj *layer, const cha + RELEASE_OGR_LOCK; + + if( hDS == NULL ) { +- if( strlen(CPLGetLastErrorMsg()) == 0 ) +- msSetError(MS_OGRERR, +- "Open failed for OGR connection in layer `%s'. " +- "File not found or unsupported format.", +- "msOGRFileOpen()", +- layer->name?layer->name:"(null)" ); +- else +- msSetError(MS_OGRERR, +- "Open failed for OGR connection in layer `%s'.\n%s\n", +- "msOGRFileOpen()", +- layer->name?layer->name:"(null)", +- CPLGetLastErrorMsg() ); ++ msSetError(MS_OGRERR, ++ "Open failed for OGR connection in layer `%s'. " ++ "Check logs.", ++ "msOGRFileOpen()", ++ layer->name?layer->name:"(null)" ); ++ if( strlen(CPLGetLastErrorMsg()) != 0 ) ++ msDebug("Open failed for OGR connection in layer `%s'.\n%s\n", ++ layer->name?layer->name:"(null)", ++ CPLGetLastErrorMsg() ); + CPLFree( pszDSName ); + CPLFree( pszLayerDef ); + return NULL; +@@ -1154,10 +1151,13 @@ msOGRFileOpen(layerObj *layer, const cha + ACQUIRE_OGR_LOCK; + hLayer = OGR_DS_ExecuteSQL( hDS, pszLayerDef, NULL, NULL ); + if( hLayer == NULL ) { +- msSetError(MS_OGRERR, +- "ExecuteSQL(%s) failed.\n%s", +- "msOGRFileOpen()", +- pszLayerDef, CPLGetLastErrorMsg() ); ++ msSetError(MS_OGRERR, ++ "ExecuteSQL(%s) failed. Check logs", ++ "msOGRFileOpen()", ++ pszLayerDef); ++ msDebug( ++ "ExecuteSQL(%s) failed.\n%s", ++ pszLayerDef, CPLGetLastErrorMsg() ); + RELEASE_OGR_LOCK; + msConnPoolRelease( layer, hDS ); + CPLFree( pszLayerDef ); +@@ -1189,9 +1189,11 @@ msOGRFileOpen(layerObj *layer, const cha + } + + if (hLayer == NULL) { +- msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.", +- "msOGRFileOpen()", +- pszLayerDef, connection ); ++ msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.", ++ "msOGRFileOpen()", ++ pszLayerDef); ++ msDebug("GetLayer(%s) failed for OGR connection `%s'.", ++ pszLayerDef, connection ); + CPLFree( pszLayerDef ); + msConnPoolRelease( layer, hDS ); + return NULL; +@@ -1356,10 +1358,12 @@ static int msOGRFileWhichShapes(layerObj + if( OGR_L_SetAttributeFilter( psInfo->hLayer, layer->filter.string+6 ) + != OGRERR_NONE ) { + msSetError(MS_OGRERR, +- "SetAttributeFilter(%s) failed on layer %s.\n%s", ++ "SetAttributeFilter(%s) failed on layer %s.", + "msOGRFileWhichShapes()", +- layer->filter.string+6, layer->name?layer->name:"(null)", +- CPLGetLastErrorMsg() ); ++ layer->filter.string+6, layer->name?layer->name:"(null)"); ++ msDebug("SetAttributeFilter(%s) failed on layer %s.\n%s", ++ layer->filter.string+6, layer->name?layer->name:"(null)", ++ CPLGetLastErrorMsg() ); + RELEASE_OGR_LOCK; + return MS_FAILURE; + } +@@ -1562,8 +1566,8 @@ msOGRFileNextShape(layerObj *layer, shap + if( (hFeature = OGR_L_GetNextFeature( psInfo->hLayer )) == NULL ) { + psInfo->last_record_index_read = -1; + if( CPLGetLastErrorType() == CE_Failure ) { +- msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()", +- CPLGetLastErrorMsg() ); ++ msSetError(MS_OGRERR, "OGR error. check logs", "msOGRFileNextShape()"); ++ msDebug("msOGRFileNextShape() error: %s", CPLGetLastErrorMsg() ); + RELEASE_OGR_LOCK; + return MS_FAILURE; + } else { +--- a/mappostgis.c ++++ b/mappostgis.c +@@ -2305,7 +2305,8 @@ int msPostGISLayerOpen(layerObj *layer) + } + } + +- msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata); ++ msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata); ++ msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()"); + + free(maskeddata); + free(layerinfo); +@@ -2327,7 +2328,6 @@ int msPostGISLayerOpen(layerObj *layer) + msSetError(MS_QUERYERR, "PostgreSQL database connection gone bad (%s)", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn)); + return MS_FAILURE; + } +- + } + } + diff -Nru mapserver-6.4.1/debian/patches/series mapserver-6.4.1/debian/patches/series --- mapserver-6.4.1/debian/patches/series 2014-07-05 17:32:59.000000000 +0200 +++ mapserver-6.4.1/debian/patches/series 2016-12-05 23:54:14.000000000 +0100 @@ -5,3 +5,4 @@ cmake-mapserver-export.patch java-hardening.patch php56.patch +0001-Backport-4928-and-5356.patch
