On 5/30/21 9:12 PM, Salvatore Bonaccorso wrote: > Sebastiaan, Sebastian, > > On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote: >> Control: tags -1 - moreinfo >> >> On 5/25/21 9:45 AM, Sebastian Ramacher wrote: >>> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote: >>>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote: >>>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote: >>>>>> Package: release.debian.org >>>>>> Severity: normal >>>>>> User: [email protected] >>>>>> Usertags: unblock >>>>>> >>>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in >>>>>> #988208. >>>>>> >>>>>> [ Reason ] >>>>>> Fix security issue. >>>>>> >>>>>> [ Impact ] >>>>>> Unfixed security issue. >>>>>> >>>>>> [ Tests ] >>>>>> Upstream CI. >>>>>> >>>>>> [ Risks ] >>>>>> Low, leaf package. >>>>>> >>>>>> [ Checklist ] >>>>>> [x] all changes are documented in the d/changelog >>>>>> [x] I reviewed all changes and I approve them >>>>>> [x] attach debdiff against the package in testing >>>>>> >>>>>> [ Other info ] >>>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is >>>>>> required as a dependency of >>>>>> 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch. >>>>>> >>>>>> unblock mapserver/7.6.2-2 >>>>> >>>>>> diff -Nru mapserver-7.6.2/debian/changelog >>>>>> mapserver-7.6.2/debian/changelog >>>>>> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 >>>>>> +0100 >>>>>> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 >>>>>> +0200 >>>>>> @@ -1,3 +1,12 @@ >>>>>> +mapserver (7.6.2-2) unstable; urgency=high >>>>>> + >>>>>> + * Drop unused lintian overrides. >>>>>> + * Add upstream patches to fix CVE-2021-32062. >>>>>> + (closes: #988208) >>>>>> + * Update symbols file. >>>>>> + >>>>>> + -- Bas Couwenberg <[email protected]> Sat, 08 May 2021 07:12:18 >>>>>> +0200 >>>>>> + >>>>>> mapserver (7.6.2-1) unstable; urgency=medium >>>>>> >>>>>> * Update symbols for other architectures. >>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides >>>>>> mapserver-7.6.2/debian/libmapserver2.lintian-overrides >>>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides >>>>>> 2020-08-06 05:34:57.000000000 +0200 >>>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides >>>>>> 1970-01-01 01:00:00.000000000 +0100 >>>>>> @@ -1,3 +0,0 @@ >>>>>> -# Cannot easily be fixed >>>>>> -file-references-package-build-path * >>>>>> - >>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols >>>>>> mapserver-7.6.2/debian/libmapserver2.symbols >>>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 >>>>>> 06:00:39.000000000 +0100 >>>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 >>>>>> 07:11:08.000000000 +0200 >>>>>> @@ -945,6 +945,7 @@ >>>>>> msCSVJoinPrepare@Base 6.2.1 >>>>>> msCairoCleanup@Base 6.2.1 >>>>>> msCalculateScale@Base 6.2.1 >>>>>> + msCaseEvalRegex@Base 7.6.2 >>>>>> msCaseReplaceSubstring@Base 6.2.1 >>>>>> msCheckLabelMinDistance@Base 7.0.0 >>>>>> msCheckParentPointer@Base 6.2.1 >>>>>> @@ -1418,6 +1419,7 @@ >>>>>> msIsGlyphASpace@Base 7.2.0 >>>>>> msIsLayerQueryable@Base 6.2.1 >>>>>> msIsOuterRing@Base 6.2.1 >>>>>> + msIsValidRegex@Base 7.6.2 >>>>> >>>>> This version is not high enough. The symbols need to be marked as >>>>> requiring 7.6.2-2~ >>>> >>>> There are no rdeps of mapserver in Debian, so no users of the symbols file. >>> >>> It's technically wrong. If you introduce symbols with a patch, the >>> symbols need to be properly versioned. After all, there is a user of the >>> symbols file and that is mapserver itself. If you have to introduce >>> calls to those two symbols outside of libmapserver in the next patch, >>> the dependency on libmapserver is wrong. >> >> libmapserver-dev already depends on libmapserver2 with (= >> ${binary:Version}). >> >> None of the other binary packages require symbols introduced after 7.0.5. >> >> All the code using msCaseEvalRegex & msIsValidRegex is within >> libmapserver itself. >> >> While strictly speaking the version in the symbols file should include >> the revision, its not required in this case because nothing outside >> libmapserver uses it. >> >>>>> Please remove the moreinfo tag once that fixed version is available in >>>>> unstable. >>>> >>>> mapserver (7.6.2-2) has been uploaded to unstable without further >>>> changes to the symbols file. >>> >>> Again, please remove the moreinfo tag only once a fixed version is >>> available in unstable. >> >> There is no need for further changes in unstable. > > Sebastian (the release team member), is there anything from the above > which you still want the maintainer to be adressed? Sebastiaan, my > unerstanding is that Sebastian wuld like to see the above changes done > for mapserver to be unblocked.
That's my understanding too, but the additional information provided should make clear that those changes are not required. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
