Author: aboudreault-guest Date: 2009-07-14 17:58:33 +0000 (Tue, 14 Jul 2009) New Revision: 2355
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch Removed: packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch Modified: packages/mapserver/branches/etch/4.10.0/debian/changelog packages/mapserver/branches/etch/4.10.0/debian/patches/00list Log: Security patch for etch Modified: packages/mapserver/branches/etch/4.10.0/debian/changelog =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/changelog 2009-07-14 15:33:49 UTC (rev 2354) +++ packages/mapserver/branches/etch/4.10.0/debian/changelog 2009-07-14 17:58:33 UTC (rev 2355) @@ -1,12 +1,26 @@ -mapserver (4.10.0-5+etch2) stable-security; urgency=high +mapserver (4.10.0-5.1+etch3) stable-security; urgency=high - * Fixed XSS vulnerabilities. - - Added 80_xss.dpatch. Patch provided by upstream with minor modifications - to apply correctly. - [http://trac.osgeo.org/mapserver/ticket/2256] + * Fix stack-based buffer overflow (CVE-2009-0839). + * Fix heap-based buffer underflow (CVE-2009-0840, CVE-2009-2281). + * Fix relative file path writing (CVE-2009-0841). + * Fix file data leakage (CVE-2009-0842). + * Fix file existence leakage (CVE-2009-0843). - -- Andreas Putzo <andr...@putzo.net> Tue, 28 Aug 2007 20:19:05 +0000 + -- Alan Boudreault <aboudrea...@mapgears.com> Tue, 14 Jul 2009 10:00:12 -0400 +mapserver (4.10.0-5.1+etch2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Apply upstream patches fixing two vulnerabilities: + - CVE-2007-4542: Cross-site scripting (XSS) vulnerabilities using + mapserver's writeError function (upstream fix also addresses + a potential buffer overflow) + - CVE-2007-4629: Multiple stack buffer overflow vulnerabilities + in template handlers, potentially allowing the execution of + arbitrary code via a maliciously crafted map file + + -- Devin Carraway <de...@debian.org> Tue, 1 Apr 2008 08:00:05 +0000 + mapserver (4.10.0-5+etch1) testing; urgency=low * debian/po/ja.po: added, thanks to Kobayashi Noritada. (Closes: #413119) Modified: packages/mapserver/branches/etch/4.10.0/debian/patches/00list =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/00list 2009-07-14 15:33:49 UTC (rev 2354) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/00list 2009-07-14 17:58:33 UTC (rev 2355) @@ -1,4 +1,10 @@ 20_php_build 50_clean 70_ptrreturn -80_xss +80_CVE-2007-4542.dpatch +81_CVE-2007-4629.dpatch +82_CVE-2009-0839 +83_CVE-2009-0840-CVE-2009-2281 +84_CVE-2009-0841 +85_CVE-2009-0842 +86_CVE-2009-0843 Added: packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch (rev 0) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -0,0 +1,72 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 80_CVE-2007-4542.dpatch by Devin Carraway <de...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Upstream patch for CVE-2007-4542, fixing overflows in template +## DP: handlers and an XSS vulnerability. + + +...@dpatch@ +Index: maptemplate.c +=================================================================== +--- a/maptemplate.c (revision 6672) ++++ b/maptemplate.c (working copy) +@@ -2790,10 +2790,15 @@ + } /* end query mode specific substitutions */ + + for(i=0;i<msObj->request->NumParams;i++) { +- sprintf(substr, "[%s]", msObj->request->ParamNames[i]); +- outstr = gsub(outstr, substr, msObj->request->ParamValues[i]); +- sprintf(substr, "[%s_esc]", msObj->request->ParamNames[i]); ++ /* Replace [variable] tags using values from URL. We cannot offer a ++ * [variable_raw] option here due to the risk of XSS ++ */ ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s]", msObj->request->ParamNames[i]); ++ encodedstr = msEncodeHTMLEntities(msObj->request->ParamValues[i]); ++ outstr = gsub(outstr, substr, encodedstr); ++ free(encodedstr); + ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_esc]", msObj->request->ParamNames[i]); + encodedstr = msEncodeUrl(msObj->request->ParamValues[i]); + outstr = gsub(outstr, substr, encodedstr); + free(encodedstr); +Index: mapserv.c +=================================================================== +--- a/mapserv.c (revision 6672) ++++ b/mapserv.c (working copy) +@@ -177,7 +177,7 @@ + msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); + msIO_printf("<!-- %s -->\n", msGetVersion()); + msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); +- msWriteError(stdout); ++ msWriteErrorXML(stdout); + msIO_printf("</BODY></HTML>"); + msCleanup(); + exit(0); +@@ -191,7 +191,7 @@ + msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); + msIO_printf("<!-- %s -->\n", msGetVersion()); + msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); +- msWriteError(stdout); ++ msWriteErrorXML(stdout); + msIO_printf("</BODY></HTML>"); + } + } else { +@@ -203,7 +203,7 @@ + msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); + msIO_printf("<!-- %s -->\n", msGetVersion()); + msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); +- msWriteError(stdout); ++ msWriteErrorXML(stdout); + msIO_printf("</BODY></HTML>"); + } + } else { +@@ -212,7 +212,7 @@ + msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); + msIO_printf("<!-- %s -->\n", msGetVersion()); + msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); +- msWriteError(stdout); ++ msWriteErrorXML(stdout); + msIO_printf("</BODY></HTML>"); + } + } Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch ___________________________________________________________________ Added: svn:executable + * Deleted: packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch 2009-07-14 15:33:49 UTC (rev 2354) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -1,78 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 80_xss.dpatch by Andreas Putzo <andr...@putzo.net> -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Fix XSS vulnerabilities. -## DP: http://trac.osgeo.org/mapserver/ticket/2256 - -...@dpatch@ -diff -urNad mapserver-4.10.0~/HISTORY.TXT mapserver-4.10.0/HISTORY.TXT ---- mapserver-4.10.0~/HISTORY.TXT 2006-10-02 17:30:32.000000000 +0000 -+++ mapserver-4.10.0/HISTORY.TXT 2007-08-28 19:53:30.000000000 +0000 -@@ -16,6 +16,8 @@ - Version 4.10.0 (2006-10-04) - --------------------------- - -+- Fixed XSS vulnerabilities (#2256) -+ - - No source code changes since 4.10.0-rc1 - - Known issues in 4.10.0: -diff -urNad mapserver-4.10.0~/mapserv.c mapserver-4.10.0/mapserv.c ---- mapserver-4.10.0~/mapserv.c 2006-08-29 01:56:53.000000000 +0000 -+++ mapserver-4.10.0/mapserv.c 2007-08-28 19:53:30.000000000 +0000 -@@ -183,7 +183,7 @@ - msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); - msIO_printf("<!-- %s -->\n", msGetVersion()); - msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); -- msWriteError(stdout); -+ msWriteErrorXML(stdout); - msIO_printf("</BODY></HTML>"); - msFreeMapServObj(msObj); - msCleanup(); -@@ -198,7 +198,7 @@ - msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); - msIO_printf("<!-- %s -->\n", msGetVersion()); - msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); -- msWriteError(stdout); -+ msWriteErrorXML(stdout); - msIO_printf("</BODY></HTML>"); - } - } else { -@@ -210,7 +210,7 @@ - msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); - msIO_printf("<!-- %s -->\n", msGetVersion()); - msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); -- msWriteError(stdout); -+ msWriteErrorXML(stdout); - msIO_printf("</BODY></HTML>"); - } - } else { -@@ -219,7 +219,7 @@ - msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n"); - msIO_printf("<!-- %s -->\n", msGetVersion()); - msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n"); -- msWriteError(stdout); -+ msWriteErrorXML(stdout); - msIO_printf("</BODY></HTML>"); - } - } -diff -urNad mapserver-4.10.0~/maptemplate.c mapserver-4.10.0/maptemplate.c ---- mapserver-4.10.0~/maptemplate.c 2006-09-29 20:52:05.000000000 +0000 -+++ mapserver-4.10.0/maptemplate.c 2007-08-28 19:53:30.000000000 +0000 -@@ -2965,10 +2965,12 @@ - } /* end query mode specific substitutions */ - - for(i=0;i<msObj->request->NumParams;i++) { -- sprintf(substr, "[%s]", msObj->request->ParamNames[i]); -- outstr = gsub(outstr, substr, msObj->request->ParamValues[i]); -- sprintf(substr, "[%s_esc]", msObj->request->ParamNames[i]); -+ snprintf(substr, PROCESSLINE_BUFLEN, "[%s]", msObj->request->ParamNames[i]); -+ encodedstr = msEncodeHTMLEntities(msObj->request->ParamValues[i]); -+ outstr = gsub(outstr, substr, encodedstr); -+ free(encodedstr); - -+ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_esc]", msObj->request->ParamNames[i]); - encodedstr = msEncodeUrl(msObj->request->ParamValues[i]); - outstr = gsub(outstr, substr, encodedstr); - free(encodedstr); Added: packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch (rev 0) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -0,0 +1,131 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 81_CVE-2007-4629.dpatch by Devin Carraway <de...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Upstream patch for CVE-2007-4629, fixing buffer overflows +## DP: in template handlers. + + +...@dpatch@ +Index: /branches/branch-4-10/mapserver/HISTORY.TXT +=================================================================== +--- mapserver/maptemplate.c (revision 6043) ++++ mapserver/maptemplate.c (revision 6668) +@@ -2602,26 +2602,26 @@ + if(isOn(msObj, msObj->Map->layers[i].name, msObj->Map->layers[i].group) == MS_TRUE) { + if(msObj->Map->layers[i].group) { +- sprintf(substr, "[%s_select]", msObj->Map->layers[i].group); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].group); + outstr = gsub(outstr, substr, "selected=\"selected\""); +- sprintf(substr, "[%s_check]", msObj->Map->layers[i].group); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].group); + outstr = gsub(outstr, substr, "checked=\"checked\""); + } + if(msObj->Map->layers[i].name) { +- sprintf(substr, "[%s_select]", msObj->Map->layers[i].name); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].name); + outstr = gsub(outstr, substr, "selected=\"selected\""); +- sprintf(substr, "[%s_check]", msObj->Map->layers[i].name); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].name); + outstr = gsub(outstr, substr, "checked=\"checked\""); + } + } else { + if(msObj->Map->layers[i].group) { +- sprintf(substr, "[%s_select]", msObj->Map->layers[i].group); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].group); + outstr = gsub(outstr, substr, ""); +- sprintf(substr, "[%s_check]", msObj->Map->layers[i].group); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].group); + outstr = gsub(outstr, substr, ""); + } + if(msObj->Map->layers[i].name) { +- sprintf(substr, "[%s_select]", msObj->Map->layers[i].name); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].name); + outstr = gsub(outstr, substr, ""); +- sprintf(substr, "[%s_check]", msObj->Map->layers[i].name); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].name); + outstr = gsub(outstr, substr, ""); + } +@@ -2667,7 +2667,7 @@ + if (msObj->Map->web.metadata.items[j] != NULL) { + for(tp=msObj->Map->web.metadata.items[j]; tp!=NULL; tp=tp->next) { +- sprintf(substr, "[web_%s]", tp->key); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[web_%s]", tp->key); + outstr = gsub(outstr, substr, tp->data); +- sprintf(substr, "[web_%s_esc]", tp->key); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[web_%s_esc]", tp->key); + + encodedstr = msEncodeUrl(tp->data); +@@ -2685,10 +2685,10 @@ + if(msObj->Map->layers[i].metadata.items[j] != NULL) { + for(tp=msObj->Map->layers[i].metadata.items[j]; tp!=NULL; tp=tp->next) { +- sprintf(substr, "[%s_%s]", msObj->Map->layers[i].name, tp->key); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s]", msObj->Map->layers[i].name, tp->key); + if(msObj->Map->layers[i].status == MS_ON) + outstr = gsub(outstr, substr, tp->data); + else + outstr = gsub(outstr, substr, ""); +- sprintf(substr, "[%s_%s_esc]", msObj->Map->layers[i].name, tp->key); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s_esc]", msObj->Map->layers[i].name, tp->key); + if(msObj->Map->layers[i].status == MS_ON) { + encodedstr = msEncodeUrl(tp->data); +@@ -2848,8 +2848,8 @@ + if(msObj->ResultLayer->metadata.items[i] != NULL) { + for(tp=msObj->ResultLayer->metadata.items[i]; tp!=NULL; tp=tp->next) { +- sprintf(substr, "[metadata_%s]", tp->key); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[metadata_%s]", tp->key); + outstr = gsub(outstr, substr, tp->data); + +- sprintf(substr, "[metadata_%s_esc]", tp->key); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[metadata_%s_esc]", tp->key); + encodedstr = msEncodeUrl(tp->data); + outstr = gsub(outstr, substr, encodedstr); +@@ -2905,5 +2905,5 @@ + for(i=0;i<msObj->ResultLayer->numitems;i++) { + /* by default let's encode attributes for HTML presentation */ +- sprintf(substr, "[%s]", msObj->ResultLayer->items[i]); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s]", msObj->ResultLayer->items[i]); + if(strstr(outstr, substr) != NULL) { + encodedstr = msEncodeHTMLEntities(msObj->ResultShape.values[i]); +@@ -2913,5 +2913,5 @@ + + /* of course you might want to embed that data in URLs */ +- sprintf(substr, "[%s_esc]", msObj->ResultLayer->items[i]); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_esc]", msObj->ResultLayer->items[i]); + if(strstr(outstr, substr) != NULL) { + encodedstr = msEncodeUrl(msObj->ResultShape.values[i]); +@@ -2921,5 +2921,5 @@ + + /* or you might want to access the attributes unaltered */ +- sprintf(substr, "[%s_raw]", msObj->ResultLayer->items[i]); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_raw]", msObj->ResultLayer->items[i]); + if(strstr(outstr, substr) != NULL) + outstr = gsub(outstr, substr, msObj->ResultShape.values[i]); +@@ -2934,5 +2934,5 @@ + for(j=0;j<msObj->ResultLayer->joins[i].numitems;j++) { + /* by default let's encode attributes for HTML presentation */ +- sprintf(substr, "[%s_%s]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]); + if(strstr(outstr, substr) != NULL) { + encodedstr = msEncodeHTMLEntities(msObj->ResultLayer->joins[i].values[j]); +@@ -2942,5 +2942,5 @@ + + /* of course you might want to embed that data in URLs */ +- sprintf(substr, "[%s_%s_esc]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s_esc]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]); + if(strstr(outstr, substr) != NULL) { + encodedstr = msEncodeUrl(msObj->ResultLayer->joins[i].values[j]); +@@ -2950,5 +2950,5 @@ + + /* or you might want to access the attributes unaltered */ +- sprintf(substr, "[%s_%s_raw]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s_raw]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]); + if(strstr(outstr, substr) != NULL) + outstr = gsub(outstr, substr, msObj->ResultLayer->joins[i].values[j]); +@@ -2957,5 +2957,5 @@ + char *joinTemplate=NULL; + +- sprintf(substr, "[join_%s]", msObj->ResultLayer->joins[i].name); ++ snprintf(substr, PROCESSLINE_BUFLEN, "[join_%s]", msObj->ResultLayer->joins[i].name); + if(strstr(outstr, substr) != NULL) { + joinTemplate = processOneToManyJoin(msObj, &(msObj->ResultLayer->joins[i])); Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch (rev 0) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -0,0 +1,281 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 82_CVE-2009-0839.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-4.10.0~/map.h mapserver-4.10.0/map.h +--- mapserver-4.10.0~/map.h 2006-10-04 10:54:49.000000000 -0400 ++++ mapserver-4.10.0/map.h 2009-07-14 13:06:22.521857713 -0400 +@@ -242,7 +242,9 @@ + /* General defines, not wrapable */ + #ifndef SWIG + #define MS_DEFAULT_MAPFILE_PATTERN "\\.map$" +-#define MS_TEMPLATE_EXPR "\\.(jsp|asp|cfm|xml|wml|html|htm|shtml|phtml|php|svg)$" ++ ++#define MS_TEMPLATE_MAGIC_STRING "MapServer Template" ++#define MS_TEMPLATE_EXPR "\\.(xml|wml|html|htm|svg|kml|gml|js|tmpl)$" + + #define MS_INDEX_EXTENSION ".qix" + #define MS_QUERY_EXTENSION ".qy" +@@ -1482,6 +1484,7 @@ + MS_DLL_EXPORT char *msJoinStrings(char **array, int arrayLength, const char *delimeter); + MS_DLL_EXPORT char *msHashString(const char *pszStr); + MS_DLL_EXPORT char *msCommifyString(char *str); ++MS_DLL_EXPORT const char *msCaseFindSubstring(const char *haystack, const char *needle); + + #ifdef NEED_STRDUP + MS_DLL_EXPORT char *strdup(char *s); +diff -urNad mapserver-4.10.0~/mapserv.c mapserver-4.10.0/mapserv.c +--- mapserver-4.10.0~/mapserv.c 2006-08-28 21:56:53.000000000 -0400 ++++ mapserver-4.10.0/mapserv.c 2009-07-14 13:06:22.521857713 -0400 +@@ -278,8 +278,21 @@ + } else { + if(getenv(msObj->request->ParamValues[i])) /* an environment references the actual file to use */ + map = msLoadMap(getenv(msObj->request->ParamValues[i]), NULL); +- else ++ else { ++ /* by here we know the request isn't for something in an environment variable */ ++ if(getenv("MS_MAP_NO_PATH")) { ++ msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "loadMap()"); ++ writeError(); ++ } ++ ++ if(getenv("MS_MAP_PATTERN") && msEvalRegex(getenv("MS_MAP_PATTERN"), msObj->request->ParamValues[i]) != MS_TRUE) { ++ msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "loadMap()"); ++ writeError(); ++ } ++ ++ /* ok to try to load now */ + map = msLoadMap(msObj->request->ParamValues[i], NULL); ++ } + } + + if(!map) writeError(); +@@ -415,6 +428,10 @@ + } + + if(strcasecmp(msObj->request->ParamNames[i],"id") == 0) { ++ if(msEvalRegex(IDPATTERN, msObj->request->ParamValues[i]) == MS_FALSE) { ++ msSetError(MS_WEBERR, "Parameter 'id' value fails to validate.", "loadMap()"); ++ writeError(); ++ } + strncpy(msObj->Id, msObj->request->ParamValues[i], IDSIZE); + continue; + } +@@ -1238,7 +1255,7 @@ + loadForm(); + + if(msObj->SaveMap) { +- sprintf(buffer, "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id); ++ snprintf(buffer, sizeof(buffer), "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id); + if(msSaveMap(msObj->Map, buffer) == -1) writeError(); + } + +diff -urNad mapserver-4.10.0~/mapstring.c mapserver-4.10.0/mapstring.c +--- mapserver-4.10.0~/mapstring.c 2006-08-16 10:05:07.000000000 -0400 ++++ mapserver-4.10.0/mapstring.c 2009-07-14 13:06:22.521857713 -0400 +@@ -933,3 +933,34 @@ + + return str; + } ++ ++/************************************************************************/ ++/* case incensitive equivalent of strstr */ ++/************************************************************************/ ++const char *msCaseFindSubstring(const char *haystack, const char *needle) ++{ ++ if ( !*needle ) ++ { ++ return haystack; ++ } ++ for ( ; *haystack; ++haystack ) ++ { ++ if ( toupper(*haystack) == toupper(*needle) ) ++ { ++ /* * Matched starting char -- loop through remaining chars. */ ++ const char *h, *n; ++ for ( h = haystack, n = needle; *h && *n; ++h, ++n ) ++ { ++ if ( toupper(*h) != toupper(*n) ) ++ { ++ break; ++ } ++ } ++ if ( !*n ) /* matched all of 'needle' to null termination */ ++ { ++ return haystack; /* return the start of the match */ ++ } ++ } ++ } ++ return 0; ++} +diff -urNad mapserver-4.10.0~/maptemplate.c mapserver-4.10.0/maptemplate.c +--- mapserver-4.10.0~/maptemplate.c 2006-09-29 16:52:05.000000000 -0400 ++++ mapserver-4.10.0/maptemplate.c 2009-07-14 13:06:22.521857713 -0400 +@@ -130,6 +130,20 @@ + + char *processLine(mapservObj* msObj, char* instr, int mode); + ++static int isValidTemplate(FILE *stream, const char *filename) ++{ ++ char buffer[MS_BUFFER_LENGTH]; ++ ++ if(fgets(buffer, MS_BUFFER_LENGTH, stream) != NULL) { ++ if(!msCaseFindSubstring(buffer, MS_TEMPLATE_MAGIC_STRING)) { ++ msSetError(MS_WEBERR, "Missing magic string, %s doesn't look like a MapServer template.", "isValidTemplate()", filename); ++ return MS_FALSE; ++ } ++ } ++ ++ return MS_TRUE; ++} ++ + /* + * Redirect to (only use in CGI) + * +@@ -293,7 +307,7 @@ + img = msDrawQueryMap(msObj->Map); + if(!img) return MS_FAILURE; + +- snprintf(buffer, 1024, "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + + status = msSaveImage(msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; +@@ -304,7 +318,7 @@ + { + img = msDrawLegend(msObj->Map, MS_FALSE); + if(!img) return MS_FAILURE; +- snprintf(buffer, 1024, "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + status = msSaveImage(msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; + msFreeImage(img); +@@ -314,7 +328,7 @@ + { + img = msDrawScalebar(msObj->Map); + if(!img) return MS_FAILURE; +- snprintf(buffer, 1024, "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + status = msSaveImage( msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; + msFreeImage(img); +@@ -324,7 +338,7 @@ + { + img = msDrawReferenceMap(msObj->Map); + if(!img) return MS_FAILURE; +- snprintf(buffer, 1024, "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + status = msSaveImage(msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; + msFreeImage(img); +@@ -2446,6 +2460,11 @@ + return(NULL); + } + ++ if(isValidTemplate(stream, join->header) != MS_TRUE) { ++ fclose(stream); ++ return NULL; ++ } ++ + /* echo file to the output buffer, no substitutions */ + while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = strcatalloc(outbuf, line); + +@@ -2455,8 +2474,13 @@ + if((stream = fopen(msBuildPath(szPath, msObj->Map->mappath, join->template), "r")) == NULL) { + msSetError(MS_IOERR, "Error while opening join template file %s.", "processOneToManyJoin()", join->template); + return(NULL); +- } ++ } + ++ if(isValidTemplate(stream, join->header) != MS_TRUE) { ++ fclose(stream); ++ return NULL; ++ } ++ + records = MS_TRUE; + } + +@@ -2471,6 +2495,7 @@ + } + + rewind(stream); ++ fgets(line, MS_BUFFER_LENGTH, stream); /* skip the first line since it's the magic string */ + } /* next record */ + + if(records==MS_TRUE && join->footer) { +@@ -2479,6 +2504,11 @@ + return(NULL); + } + ++ if(isValidTemplate(stream, join->footer) != MS_TRUE) { ++ fclose(stream); ++ return NULL; ++ } ++ + /* echo file to the output buffer, no substitutions */ + while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = strcatalloc(outbuf, line); + +@@ -3007,6 +3037,11 @@ + return MS_FAILURE; + } + ++ if(isValidTemplate(stream, html) != MS_TRUE) { ++ fclose(stream); ++ return MS_FAILURE; ++ } ++ + if (papszBuffer) + { + if ((*papszBuffer) == NULL) +@@ -3411,7 +3446,7 @@ + image = msDrawMap(msObj->Map); + + if(image) { +- sprintf(buffer, "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + + if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) { + msFreeImage(image); +@@ -3429,7 +3464,7 @@ + imageObj *image = NULL; + image = msDrawLegend(msObj->Map, MS_FALSE); + if(image) { +- sprintf(buffer, "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + + if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) { + msFreeImage(image); +@@ -3447,7 +3482,7 @@ + imageObj *image = NULL; + image = msDrawScalebar(msObj->Map); + if(image) { +- sprintf(buffer, "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) { + msFreeImage(image); + return MS_FALSE; +@@ -3464,7 +3499,7 @@ + imageObj *image; + image = msDrawReferenceMap(msObj->Map); + if(image) { +- sprintf(buffer, "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) { + msFreeImage(image); + return MS_FALSE; +diff -urNad mapserver-4.10.0~/maptemplate.h mapserver-4.10.0/maptemplate.h +--- mapserver-4.10.0~/maptemplate.h 2005-06-14 12:03:35.000000000 -0400 ++++ mapserver-4.10.0/maptemplate.h 2009-07-14 13:06:22.521857713 -0400 +@@ -45,7 +45,8 @@ + #include "map.h" + #include "maphash.h" + +-#define IDSIZE 128 ++#define IDPATTERN "^[0-9A-Za-z]{1,63}$" ++#define IDSIZE 64 + #define TEMPLATE_TYPE(s) (((strncmp("http://", s, 7) == 0) || (strncmp("https://", s, 8) == 0) || (strncmp("ftp://", s, 6)) == 0) ? MS_URL : MS_FILE) + #define MAXZOOM 25 + #define MINZOOM -25 Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch (rev 0) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -0,0 +1,88 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 83_CVE-2009-0840-CVE-2009-2281.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-4.10.0~/cgiutil.c mapserver-4.10.0/cgiutil.c +--- mapserver-4.10.0~/cgiutil.c 2006-08-28 21:56:53.000000000 -0400 ++++ mapserver-4.10.0/cgiutil.c 2009-07-14 13:08:18.430607176 -0400 +@@ -69,7 +69,8 @@ + static char *readPostBody( cgiRequestObj *request ) + { + char *data; +- int data_max, data_len, chunk_size; ++ size_t data_max, data_len; ++ int chunk_size; + + msIO_needBinaryStdin(); + +@@ -79,12 +80,19 @@ + if( getenv("CONTENT_LENGTH") != NULL ) + { + +- data_max = atoi(getenv("CONTENT_LENGTH")); ++ data_max = (size_t) atoi(getenv("CONTENT_LENGTH")); ++ /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */ ++ if( data_max >= SIZE_MAX ) ++ { ++ msIO_printf("Content-type: text/html%c%c",10,10); ++ msIO_printf("Suspicious Content-Length.\n"); ++ exit( 1 ); ++ } + data = (char *) malloc(data_max+1); + if( data == NULL ) + { + msIO_printf("Content-type: text/html%c%c",10,10); +- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", ++ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", + data_max ); + exit( 1 ); + } +@@ -101,7 +109,9 @@ + /* -------------------------------------------------------------------- */ + /* Otherwise read in chunks to the end. */ + /* -------------------------------------------------------------------- */ +- data_max = 10000; ++#define DATA_ALLOC_SIZE 10000 ++ ++ data_max = DATA_ALLOC_SIZE; + data_len = 0; + data = (char *) malloc(data_max+1); + +@@ -112,13 +122,21 @@ + + if( data_len == data_max ) + { +- data_max = data_max + 10000; ++ /* Realloc buffer, making sure we check for possible size_t overflow */ ++ if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) ) ++ { ++ msIO_printf("Content-type: text/html%c%c",10,10); ++ msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" ); ++ exit(1); ++ } ++ ++ data_max = data_max + DATA_ALLOC_SIZE; + data = (char *) realloc(data, data_max+1); + + if( data == NULL ) + { + msIO_printf("Content-type: text/html%c%c",10,10); +- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 ); ++ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 ); + exit(1); + } + } +diff -urNad mapserver-4.10.0~/map.h mapserver-4.10.0/map.h +--- mapserver-4.10.0~/map.h 2006-10-04 10:54:49.000000000 -0400 ++++ mapserver-4.10.0/map.h 2009-07-14 13:08:18.430607176 -0400 +@@ -153,6 +153,7 @@ + #include <malloc.h> + #else + #include <unistd.h> ++#include <stdint.h> + #endif + + #ifndef DISABLE_CVSID Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch (rev 0) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 84_CVE-2009-0841.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-4.10.0~/mapserv.c mapserver-4.10.0/mapserv.c +--- mapserver-4.10.0~/mapserv.c 2006-08-28 21:56:53.000000000 -0400 ++++ mapserver-4.10.0/mapserv.c 2009-07-14 13:10:06.254163494 -0400 +@@ -1595,7 +1595,7 @@ + if (msReturnTemplateQuery(msObj, msObj->Map->web.queryformat, NULL) != MS_SUCCESS) writeError(); + + if(msObj->SaveQuery) { +- sprintf(buffer, "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION); ++ snprintf(buffer, sizeof(buffer), "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION); + if((status = msSaveQuery(msObj->Map, buffer)) != MS_SUCCESS) return status; + } + } Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch (rev 0) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -0,0 +1,126 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 85_CVE-2009-0842.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-4.10.0~/mapfile.c mapserver-4.10.0/mapfile.c +--- mapserver-4.10.0~/mapfile.c 2006-08-31 22:30:15.000000000 -0400 ++++ mapserver-4.10.0/mapfile.c 2009-07-14 13:11:33.301856800 -0400 +@@ -4543,6 +4543,9 @@ + int i,j,k; + char szPath[MS_MAXPATHLEN], szCWDPath[MS_MAXPATHLEN]; + ++ int foundMapToken=MS_FALSE; ++ int token; ++ + if(!filename) { + msSetError(MS_MISCERR, "Filename is undefined.", "msLoadMap()"); + return(NULL); +@@ -4592,7 +4595,14 @@ + + for(;;) { + +- switch(msyylex()) { ++ token = msyylex(); ++ ++ if(!foundMapToken && token != MAP) { ++ msSetError(MS_IDENTERR, "First token must be MAP, this doesn't look like a mapfile.", "msLoadMap()"); ++ return(NULL); ++ } ++ ++ switch(token) { + + case(CONFIG): + { +@@ -4717,7 +4727,8 @@ + if(loadLegend(&(map->legend), map) == -1) return(NULL); + break; + case(MAP): +- break; ++ foundMapToken = MS_TRUE; ++ break; + case(MAXSIZE): + if(getInteger(&(map->maxsize)) == -1) return(NULL); + break; +diff -urNad mapserver-4.10.0~/mapsymbol.c mapserver-4.10.0/mapsymbol.c +--- mapserver-4.10.0~/mapsymbol.c 2006-07-22 23:28:45.000000000 -0400 ++++ mapserver-4.10.0/mapsymbol.c 2009-07-14 13:11:33.301856800 -0400 +@@ -632,7 +632,7 @@ + int msLoadSymbolSet(symbolSetObj *symbolset, mapObj *map) + { + int retval = MS_FAILURE; +- ++ + msAcquireLock( TLOCK_PARSER ); + retval = loadSymbolSet( symbolset, map ); + msReleaseLock( TLOCK_PARSER ); +@@ -647,6 +647,9 @@ + int status=1; + char szPath[MS_MAXPATHLEN], *pszSymbolPath=NULL; + ++ int foundSymbolSetToken=MS_FALSE; ++ int token; ++ + if(!symbolset) { + msSetError(MS_SYMERR, "Symbol structure unallocated.", "loadSymbolSet()"); + return(-1); +@@ -673,7 +676,15 @@ + ** Read the symbol file + */ + for(;;) { +- switch(msyylex()) { ++ ++ token = msyylex(); ++ ++ if(!foundSymbolSetToken && token != SYMBOLSET) { ++ msSetError(MS_IDENTERR, "First token must be SYMBOLSET, this doesn't look like a symbol file.", "msLoadSymbolSet()"); ++ return(-1); ++ } ++ ++ switch(token) { + case(END): + case(EOF): + status = 0; +@@ -688,6 +699,7 @@ + symbolset->numsymbols++; + break; + case(SYMBOLSET): ++ foundSymbolSetToken = MS_TRUE; + break; + default: + msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "loadSymbolSet()", msyytext, msyylineno); +diff -urNad mapserver-4.10.0~/tests/symbols.txt mapserver-4.10.0/tests/symbols.txt +--- mapserver-4.10.0~/tests/symbols.txt 2004-11-18 10:07:36.000000000 -0500 ++++ mapserver-4.10.0/tests/symbols.txt 2009-07-14 13:11:33.311860683 -0400 +@@ -1,22 +1,23 @@ +- +-SYMBOL ++SYMBOLSET ++ SYMBOL + NAME 'circle' + TYPE ellipse + FILLED true + POINTS + 1 1 + END +-END ++ END + +-SYMBOL ++ SYMBOL + NAME 'xmarks-png' + TYPE PIXMAP + IMAGE 'xmarks.png' +-END ++ END + +-SYMBOL ++ SYMBOL + NAME 'home-png' + TYPE PIXMAP + IMAGE 'home.png' ++ END + END + Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch =================================================================== --- packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch (rev 0) +++ packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch 2009-07-14 17:58:33 UTC (rev 2355) @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 86_CVE-2009-0843.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-4.10.0~/mapquery.c mapserver-4.10.0/mapquery.c +--- mapserver-4.10.0~/mapquery.c 2006-02-01 20:00:11.000000000 -0500 ++++ mapserver-4.10.0/mapquery.c 2009-07-14 13:12:34.260614243 -0400 +@@ -153,6 +153,11 @@ + return(MS_FAILURE); + } + ++ /* ++ ** Make sure the file at least has the right extension. ++ */ ++ if(msEvalRegex("\\.qy$", filename) != MS_TRUE) return MS_FAILURE; ++ + stream = fopen(filename, "rb"); + if(!stream) { + msSetError(MS_IOERR, "(%s)", "msLoadQuery()", filename); Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch ___________________________________________________________________ Added: svn:executable + * _______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel