Package: release.debian.org Severity: normal User: [email protected] Usertags: opu
Package: release.debian.org Severity: normal User: [email protected] Usertags: opu Dear Release Team, The MapServer project has released stable updates for every major release from 5.6.x up fixing a security issue which allows a potential leakage of information through an SQL injection when using TIME filtering in conjunction with PostGIS backends. More information can be found in the dedicated upstream issue: #4834 https://github.com/mapserver/mapserver/issues/4834 I've included the patch for this minor vulnerability from MapServer 5.6.9 in the new mapserver 5.6.5-2+squeeze3. The proposed-update also includes two fixes for building the package. The squeeze package contained debhelper.log files in the debian/ directory, which caused problems for clean pbuilder builds so they were removed. And dpatch insisted in changing the permissions. I've included these changes in the squeeze package too. Is this acceptable for upload to squeeze-proposed-updates? Kind Regards, Bas
diff -u mapserver-5.6.5/debian/changelog mapserver-5.6.5/debian/changelog --- mapserver-5.6.5/debian/changelog +++ mapserver-5.6.5/debian/changelog @@ -1,3 +1,12 @@ +mapserver (5.6.5-2+squeeze3) oldstable-proposed-updates; urgency=low + + * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the + msPostGISLayerSetTimeFilter function in mappostgis.c. + (closes: #734565) + * Remove debhelper log files to allow clean builds. + + -- Bas Couwenberg <[email protected]> Fri, 10 Jan 2014 04:21:27 +0100 + mapserver (5.6.5-2+squeeze2) stable-security; urgency=high * Fix possible SQL injection in WFS (CVE-2011-2703). reverted: --- mapserver-5.6.5/debian/mapserver-bin.debhelper.log +++ mapserver-5.6.5.orig/debian/mapserver-bin.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep reverted: --- mapserver-5.6.5/debian/libmapscript-ruby.debhelper.log +++ mapserver-5.6.5.orig/debian/libmapscript-ruby.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep reverted: --- mapserver-5.6.5/debian/cgi-mapserver.debhelper.log +++ mapserver-5.6.5.orig/debian/cgi-mapserver.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep diff -u mapserver-5.6.5/debian/rules mapserver-5.6.5/debian/rules --- mapserver-5.6.5/debian/rules +++ mapserver-5.6.5/debian/rules @@ -155,6 +155,7 @@ clean: unpatch clean-first-build dh_testdir dh_prep + -$(RM) debian/*.debhelper.log -$(RM) configure-php5-stamp build-php5-stamp install-arch-stamp install-indep-stamp install-php5-stamp [ ! -f Makefile ] || $(MAKE) distclean reverted: --- mapserver-5.6.5/debian/php5-mapscript.debhelper.log +++ mapserver-5.6.5.orig/debian/php5-mapscript.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep reverted: --- mapserver-5.6.5/debian/perl-mapscript.debhelper.log +++ mapserver-5.6.5.orig/debian/perl-mapscript.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep reverted: --- mapserver-5.6.5/debian/libmapscript-ruby1.9.1.debhelper.log +++ mapserver-5.6.5.orig/debian/libmapscript-ruby1.9.1.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep reverted: --- mapserver-5.6.5/debian/mapserver-doc.debhelper.log +++ mapserver-5.6.5.orig/debian/mapserver-doc.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep reverted: --- mapserver-5.6.5/debian/libmapscript-ruby1.8.debhelper.log +++ mapserver-5.6.5.orig/debian/libmapscript-ruby1.8.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep diff -u mapserver-5.6.5/debian/control mapserver-5.6.5/debian/control --- mapserver-5.6.5/debian/control +++ mapserver-5.6.5/debian/control @@ -2,7 +2,7 @@ Section: devel Priority: optional Maintainer: Debian GIS Project <[email protected]> -Uploaders: Francesco Paolo Lovergine <[email protected]>, Alan Boudreault <[email protected]> +Uploaders: Francesco Paolo Lovergine <[email protected]>, Alan Boudreault <[email protected]>, Bas Couwenberg <[email protected]> Standards-Version: 3.9.0 Build-Depends: debhelper (>= 7), dpatch, libcurl4-gnutls-dev, libpng12-dev, zlib1g-dev (>= 1.1.4), libgd2-xpm-dev (>= 2.0.1-10), libfreetype6-dev (>= 2.0.9), libjpeg62-dev, libgdal1-dev (>=1.4.0), libproj-dev, reverted: --- mapserver-5.6.5/debian/python-mapscript.debhelper.log +++ mapserver-5.6.5.orig/debian/python-mapscript.debhelper.log @@ -1,5 +0,0 @@ -dh_prep -dh_prep -dh_prep -dh_prep -dh_prep diff -u mapserver-5.6.5/debian/patches/00list mapserver-5.6.5/debian/patches/00list --- mapserver-5.6.5/debian/patches/00list +++ mapserver-5.6.5/debian/patches/00list @@ -2,0 +3 @@ +cve-2013-7262 only in patch2: unchanged: --- mapserver-5.6.5.orig/debian/patches/cve-2013-7262.dpatch +++ mapserver-5.6.5/debian/patches/cve-2013-7262.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## cve-2013-7262.dpatch by Bas Couwenberg <[email protected]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mapserver~/mappostgis.c mapserver/mappostgis.c +--- mapserver~/mappostgis.c 2014-01-08 22:42:12.000000000 +0100 ++++ mapserver/mappostgis.c 2014-01-08 22:42:18.000000000 +0100 +@@ -2153,6 +2153,11 @@ + if (!lp || !timestring || !timefield) + return MS_FALSE; + ++ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) { ++ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()"); ++ return MS_FALSE; ++ } ++ + if (strstr(timestring, ",") == NULL && + strstr(timestring, "/") == NULL) /* discrete time */ + tmpstimestring = strdup(timestring);
