[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)
On Mon, 22 Jun 2009, Nico Golde wrote: I'm not sure if this should get a new CVE id but the versions in the CVE id description should be adjusted and the upstream patch revised. This looks like even though there was a source code modification, the previous issue was not fixed at all. That is, any attack that would have worked before the fix, will still work after the fix. However, Fedora FEDORA-2009-3383 at least claims a fix for CVE-2009-0840, so a new CVE is probably in order to signal to admins that they have another issue to handle. Use CVE-2009-2281 for the new issue. What versions are affected by this? - Steve ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: mapserver: multiple vulnerabilities
Hi, as the incomplete fix got a new CVE id I closed this bug and opened a new one for the incomplete fix. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpzdNtoWbl1r.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: marked as done (mapserver: multiple vulnerabilities)
Your message dated Wed, 1 Jul 2009 19:43:20 +0200 with message-id 20090701174320.ga4...@ngolde.de and subject line closing has caused the Debian Bug report #523027, regarding mapserver: multiple vulnerabilities to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 523027: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mapserver Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for mapserver. CVE-2009-0839[0]: | Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x | before 4.10.4 and 5.x before 5.2.2, when the server has a map with a | long IMAGEPATH or NAME attribute, allows remote attackers to execute | arbitrary code via a crafted id parameter in a query action. CVE-2009-0840[1]: | Heap-based buffer underflow in the readPostBody function in cgiutil.c | in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows | remote attackers to have an unknown impact via a negative value in the | Content-Length HTTP header. CVE-2009-0841[2]: | Directory traversal vulnerability in mapserv.c in mapserv in MapServer | 4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with | Cygwin, allows remote attackers to create arbitrary files via a .. | (dot dot) in the id parameter. CVE-2009-0842[3]: | mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows | remote attackers to read arbitrary invalid .map files via a full | pathname in the map parameter, which triggers the display of partial | file contents within an error message, as demonstrated by a | /tmp/sekrut.map symlink. CVE-2009-0843[4]: | The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and | 5.x before 5.2.2 allows remote attackers to determine the existence of | arbitrary files via a full pathname in the queryfile parameter, which | triggers different error messages depending on whether this pathname | exists. CVE-2009-1176[5]: | mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before | 5.2.2 does not ensure that the string holding the id parameter ends in | a '\0' character, which allows remote attackers to conduct | buffer-overflow attacks or have unspecified other impact via a long id | parameter in a query action. CVE-2009-1177[6]: | Multiple stack-based buffer overflows in maptemplate.c in mapserv in | MapServer 4.x before 4.10.4 and 5.x before 5.2.2 have unknown impact | and remote attack vectors. Please coordinate with the security team to prepare packages for the stable releases. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0839 http://security-tracker.debian.net/tracker/CVE-2009-0839 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0840 http://security-tracker.debian.net/tracker/CVE-2009-0840 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0841 http://security-tracker.debian.net/tracker/CVE-2009-0841 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0842 http://security-tracker.debian.net/tracker/CVE-2009-0842 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0843 http://security-tracker.debian.net/tracker/CVE-2009-0843 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1176 http://security-tracker.debian.net/tracker/CVE-2009-1176 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1177 http://security-tracker.debian.net/tracker/CVE-2009-1177 ---End Message--- ---BeginMessage--- Version: 5.2.2-1 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgplJRPtRsNDN.pgp Description: PGP signature ---End Message--- ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#535340: mapserver: heap-based buffer overflow because due to integer overflow in content-length handling
Package: mapserver Severity: grave Tags: security Justification: user security hole Hi, As described in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027#14 the fix for CVE-2009-0840 was not correct. A new CVE id got assigned to this: CVE-2009-2281. Please reference it in the changelog if you fix this bug. Cheers Nico ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)
Hi, * Steven M. Christey co...@linus.mitre.org [2009-07-01 13:43]: On Mon, 22 Jun 2009, Nico Golde wrote: I'm not sure if this should get a new CVE id but the versions in the CVE id description should be adjusted and the upstream patch revised. This looks like even though there was a source code modification, the previous issue was not fixed at all. That is, any attack that would have worked before the fix, will still work after the fix. However, Fedora FEDORA-2009-3383 at least claims a fix for CVE-2009-0840, so a new CVE is probably in order to signal to admins that they have another issue to handle. Use CVE-2009-2281 for the new issue. What versions are affected by this? Should be every currently available release, I'm currently working with upstream on a better fix. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgp578npxfHrT.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#535221: Bug#535221: osm2pgsql: consider including 900913.sql in the package?
Hello, On Jun 30 22:57, Timo Juhani Lindfors wrote: Package: osm2pgsql Version: 0.66.20090526-1 Severity: wishlist http://wiki.openstreetmap.org/wiki/Mapnik instructs that I should import some 900913.sql which is included with osm2pqsql. However, the debian package contains no such file. Any idea how essential this is? I see the file in the source package, maybe it should be included in the binary package as well? You are right, that file should be there because standard postgis does not contain this projection and i guess it would give weird results with mapnik. I will add this file as an example in /usr/share/doc/osm2pgsql/examples/. In case you not already extracted it from the source package, here is the content until the updated package is available. INSERT INTO spatial_ref_sys (srid, auth_name, auth_srid, srtext, proj4text)VALUES (900913,'EPSG',900913,'PROJCS[WGS84 / Simple Mercator,GEOGCS[WGS 84,DATUM[WGS_1984,SPHEROID[WGS_1984, 6378137.0, 298.257223563]],PRIMEM[Greenwich, 0.0],UNIT[degree, 0.017453292519943295],AXIS[Longitude, EAST],AXIS[Latitude, NORTH]],PROJECTION[Mercator_1SP_Google],PARAMETER[latitude_of_origin, 0.0],PARAMETER[central_meridian, 0.0],PARAMETER[scale_factor, 1.0],PARAMETER[false_easting, 0.0],PARAMETER[false_northing, 0.0],UNIT[m, 1.0],AXIS[x, EAST],AXIS[y, NORTH],AUTHORITY[EPSG,900913]]','+proj=merc +a=6378137 +b=6378137 +lat_ts=0.0 +lon_0=0.0 +x_0=0.0 +y_0=0 +k=1.0 +units=m +nadgri...@null +no_defs'); The wiki page links to http://wiki.openstreetmap.org/wiki/Osm2pgsql which says that osm2pgsl can be installed with apt-get. So if user should get 900913.sql via some other means than apt-get I think we should document that in the wiki. (Yes I know bugs.debian.org is not for bugs in the openstreetmap wiki but...). 900913.sql is not essential for osm2pgsql to work, but it's still a bug that is is missing from the package. So thanks for reporting it here so that we can fix the package instead of 'reporting' it to the OSM wiki :) Regards, Andreas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2333 - packages/osm2pgsql/trunk/debian
Author: nd-guest Date: 2009-07-01 19:35:54 + (Wed, 01 Jul 2009) New Revision: 2333 Added: packages/osm2pgsql/trunk/debian/examples Modified: packages/osm2pgsql/trunk/debian/changelog packages/osm2pgsql/trunk/debian/rules Log: add 900913.sql, #535221 Modified: packages/osm2pgsql/trunk/debian/changelog === --- packages/osm2pgsql/trunk/debian/changelog 2009-06-26 14:17:24 UTC (rev 2332) +++ packages/osm2pgsql/trunk/debian/changelog 2009-07-01 19:35:54 UTC (rev 2333) @@ -1,3 +1,10 @@ +osm2pgsql (0.66.20090526-2) UNRELEASED; urgency=low + + * NOT RELEASED YET + * Added 900913.sql, containing EPSG:900913 for postgis, as example. + + -- Andreas Putzo andr...@putzo.net Wed, 01 Jul 2009 19:33:44 + + osm2pgsql (0.66.20090526-1) unstable; urgency=low * New upstream svn snapshot. (Closes: #532145) Added: packages/osm2pgsql/trunk/debian/examples === --- packages/osm2pgsql/trunk/debian/examples(rev 0) +++ packages/osm2pgsql/trunk/debian/examples2009-07-01 19:35:54 UTC (rev 2333) @@ -0,0 +1 @@ +900913.sql Modified: packages/osm2pgsql/trunk/debian/rules === --- packages/osm2pgsql/trunk/debian/rules 2009-06-26 14:17:24 UTC (rev 2332) +++ packages/osm2pgsql/trunk/debian/rules 2009-07-01 19:35:54 UTC (rev 2333) @@ -68,6 +68,7 @@ dh_testroot dh_installchangelogs dh_installdocs + dh_installexamples dh_install dh_installman dh_link ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#535221: Bug#535221: osm2pgsql: consider including 900913.sql in the package?
Hi, Andreas Putzo andr...@putzo.net writes: it would give weird results with mapnik. I will add this file as an example in /usr/share/doc/osm2pgsql/examples/. Thanks, I'll probably get a notification when this hits unstable and I can add this info to the wiki? Btw, is debian's mapnik/osm2pgsql generally up-to-date enough to render openstreetmap tiles? I'm having hard time trying to judge this from the wiki since http://wiki.openstreetmap.org/wiki/Osm2pgsql just has a vague warning Be warned: the packages might be old. If you see rendering artifacts, try compiling osm2pgsql from source. without telling which exact versions of mapnik and osm2pgsql work together. My personal need to run mapnik currently only involves rendering a city with custom styles and updating it with hourly diffs from a cronjob. It would be terrific if the debian package came with a tested and known-to-work script to setup rendering of some test city automatically :-) (hint, hint) As a bonus, you could use this to test that the shipped versions of osm2pgsl and mapnik work together well. best regards, Timo Lindfors ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#535221: Bug#535221: osm2pgsql: consider including 900913.sql in the package?
On Jul 01 23:06, Timo Juhani Lindfors wrote: Hi, Andreas Putzo andr...@putzo.net writes: it would give weird results with mapnik. I will add this file as an example in /usr/share/doc/osm2pgsql/examples/. Thanks, I'll probably get a notification when this hits unstable and I can add this info to the wiki? Yes. Btw, is debian's mapnik/osm2pgsql generally up-to-date enough to render openstreetmap tiles? I'm having hard time trying to judge this from the wiki since http://wiki.openstreetmap.org/wiki/Osm2pgsql just has a vague warning Be warned: the packages might be old. If you see rendering artifacts, try compiling osm2pgsql from source. without telling which exact versions of mapnik and osm2pgsql work together. The statement is a bit vague but generally not false. Debian/stable is supposed to only receive security updates and important bugfixes so that version might become outdated over time. I'm going to provide a backported packages for stable users on backports.org, but this still needs to be done. testing and unstable should contain a more or less up-to-date version but this again depends on manpower to ensure a properly tested package. Perhaps it's a good idea to link the package page so that people can judge whether that version is sufficient? (And if not, bug reports are of course welcome :) http://packages.qa.debian.org/o/osm2pgsql.html My personal need to run mapnik currently only involves rendering a city with custom styles and updating it with hourly diffs from a cronjob. It would be terrific if the debian package came with a tested and known-to-work script to setup rendering of some test city automatically :-) (hint, hint) As a bonus, you could use this to test that the shipped versions of osm2pgsl and mapnik work together well. This might become difficult since everybody uses a different setup, but something like a an example script that can easily be adjusted sounds like a good idea. Regards, Andreas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Processed: Re: Bug#535173: crash when opening preferences
Processing commands for cont...@bugs.debian.org: tag 535173 + unreproducible Bug#535173: crash when opening preferences There were no tags set. Tags added: unreproducible thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#535173: Bug#535173: crash when opening preferences
tag 535173 + unreproducible thanks Hi, On Jun 30 14:47, Michal Čihař wrote: When trying to open preferences, I got following exception: Manifest-Version: 1.0 Ant-Version: Apache Ant 1.7.0 Created-By: 14.0-b10 (Sun Microsystems Inc.) Main-class: JOSM Main-Version: 1529 SVN Main-Date: 2009-04-16T17:26:54.307895Z Debian-Release: 0.0.svn1529-1 Class-Path: /usr/share/java/gettext-commons.jar /usr/share/java/metadata-extractor.jarJava version: 1.6.0_14 java.lang.NullPointerException at sun.font.TrueTypeGlyphMapper.init(TrueTypeGlyphMapper.java:44) at sun.font.TrueTypeFont.getMapper(TrueTypeFont.java:1235) at sun.font.FileFontStrike.init(FileFontStrike.java:151) at sun.font.FileFont.createStrike(FileFont.java:76) at sun.font.Font2D.getStrike(Font2D.java:331) at sun.font.Font2D.getStrike(Font2D.java:262) [...] so far i failed to reproduce the problem. I tried with LANG=cs_CZ.UTF-8 JAVACMD=/usr/lib/jvm/java-6-sun/bin/java josm and can open preferences without a problem. Maybe there is a font package missing or something? I will try in a stripped down environment tomorrow to see if i can catch the error. Regards, Andreas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel