The following commit has been merged in the squeeze branch:
commit f59daafb0c6119122e67399fa0b80cb859a08de8
Author: Bas Couwenberg <sebas...@xs4all.nl>
Date:   Wed Jan 8 22:47:54 2014 +0100

    Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the 
msPostGISLayerSetTimeFilter function in mappostgis.c. (closes: #734565)

diff --git a/debian/changelog b/debian/changelog
index 0adb3f8..a4eb6e0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mapserver (5.6.5-2+squeeze3) squeeze-security; urgency=high
+
+  * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
+    msPostGISLayerSetTimeFilter function in mappostgis.c.
+    (closes: #734565)
+
+ -- Bas Couwenberg <sebas...@xs4all.nl>  Wed, 08 Jan 2014 22:44:27 +0100
+
 mapserver (5.6.5-2+squeeze2) stable-security; urgency=high
 
   * Fix possible SQL injection in WFS (CVE-2011-2703).
diff --git a/debian/control b/debian/control
index 4797405..5835852 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: mapserver
 Section: devel
 Priority: optional
 Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
-Uploaders: Francesco Paolo Lovergine <fran...@debian.org>, Alan Boudreault 
<aboudrea...@mapgears.com>
+Uploaders: Francesco Paolo Lovergine <fran...@debian.org>, Alan Boudreault 
<aboudrea...@mapgears.com>, Bas Couwenberg <sebas...@xs4all.nl>
 Standards-Version: 3.9.0
 Build-Depends: debhelper (>= 7), dpatch, libcurl4-gnutls-dev, libpng12-dev, 
zlib1g-dev (>= 1.1.4),
  libgd2-xpm-dev (>= 2.0.1-10), libfreetype6-dev (>= 2.0.9), libjpeg62-dev, 
libgdal1-dev (>=1.4.0), libproj-dev,
diff --git a/debian/patches/00list b/debian/patches/00list
index 318b8fe..e2f8dee 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,2 +1,3 @@
 symbol_index_overflow
 01_wfs_sql_injection
+cve-2013-7262
diff --git a/debian/patches/cve-2013-7262.dpatch 
b/debian/patches/cve-2013-7262.dpatch
new file mode 100644
index 0000000..4353a7e
--- /dev/null
+++ b/debian/patches/cve-2013-7262.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2013-7262.dpatch by Bas Couwenberg <sebas...@xs4all.nl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' 
'--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' 
mapserver~/mappostgis.c mapserver/mappostgis.c
+--- mapserver~/mappostgis.c    2014-01-08 22:42:12.000000000 +0100
++++ mapserver/mappostgis.c     2014-01-08 22:42:18.000000000 +0100
+@@ -2153,6 +2153,11 @@
+     if (!lp || !timestring || !timefield)
+       return MS_FALSE;
+ 
++    if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
++       msSetError(MS_MISCERR, "Invalid time filter.", 
"msPostGISLayerSetTimeFilter()");
++       return MS_FALSE;
++    }
++
+     if (strstr(timestring, ",") == NULL && 
+         strstr(timestring, "/") == NULL) /* discrete time */
+       tmpstimestring = strdup(timestring);

-- 
Packaging for MapServer

_______________________________________________
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel

Reply via email to