Author: aboudreault-guest Date: 2009-06-15 13:46:54 +0000 (Mon, 15 Jun 2009) New Revision: 2286
Added: packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch Modified: packages/mapserver/branches/lenny/debian/changelog packages/mapserver/branches/lenny/debian/patches/00list Log: Adding patches for several vulnerabilities Modified: packages/mapserver/branches/lenny/debian/changelog =================================================================== --- packages/mapserver/branches/lenny/debian/changelog 2009-06-15 13:20:24 UTC (rev 2285) +++ packages/mapserver/branches/lenny/debian/changelog 2009-06-15 13:46:54 UTC (rev 2286) @@ -1,3 +1,13 @@ +mapserver (5.0.3-3+lenny1) stable-security; urgency=high + + * Fix stack-based buffer overflow (CVE-2009-0839). + * Fix heap-based buffer underflow (CVE-2009-0840). + * Fix relative file path writing (CVE-2009-0841). + * Fix file data leakage (CVE-2009-0842). + * Fix file existence leakage (CVE-2009-0843). + + -- Alan Boudreault <aboudrea...@mapgears.com> Thu, 04 Jun 2009 13:49:50 -0400 + mapserver (5.0.3-3) unstable; urgency=low * Updated sv.po template. Modified: packages/mapserver/branches/lenny/debian/patches/00list =================================================================== --- packages/mapserver/branches/lenny/debian/patches/00list 2009-06-15 13:20:24 UTC (rev 2285) +++ packages/mapserver/branches/lenny/debian/patches/00list 2009-06-15 13:46:54 UTC (rev 2286) @@ -1,3 +1,8 @@ 50_clean 70_ptrreturn 80_gdal_lib +01_CVE-2009-0839 +02_CVE-2009-0840 +03_CVE-2009-0841 +04_CVE-2009-0842 +05_CVE-2009-0843 Added: packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch =================================================================== --- packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch (rev 0) +++ packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch 2009-06-15 13:46:54 UTC (rev 2286) @@ -0,0 +1,189 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 01_CVE-2009-0839.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-5.0.3~/mapserv.c mapserver-5.0.3/mapserv.c +--- mapserver-5.0.3~/mapserv.c 2007-09-10 09:51:19.000000000 -0400 ++++ mapserver-5.0.3/mapserv.c 2009-06-08 13:33:31.870603634 -0400 +@@ -197,10 +197,23 @@ + } else { + if(getenv(msObj->request->ParamValues[i])) /* an environment references the actual file to use */ + map = msLoadMap(getenv(msObj->request->ParamValues[i]), NULL); +- else ++ else { ++ /* by here we know the request isn't for something in an environment variable */ ++ if(getenv("MS_MAP_NO_PATH")) { ++ msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "loadMap()"); ++ writeError(); ++ } ++ ++ if(getenv("MS_MAP_PATTERN") && msEvalRegex(getenv("MS_MAP_PATTERN"), msObj->request->ParamValues[i]) != MS_TRUE) { ++ msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "loadMap()"); ++ writeError(); ++ } ++ ++ /* ok to try to load now */ + map = msLoadMap(msObj->request->ParamValues[i], NULL); ++ } + } +- ++ + if(!map) writeError(); + + /* check for any %variable% substitutions here, also do any map_ changes, we do this here so WMS/WFS */ +@@ -357,6 +370,10 @@ + } + + if(strcasecmp(msObj->request->ParamNames[i],"id") == 0) { ++ if(msEvalRegex(IDPATTERN, msObj->request->ParamValues[i]) == MS_FALSE) { ++ msSetError(MS_WEBERR, "Parameter 'id' value fails to validate.", "loadMap()"); ++ writeError(); ++ } + strncpy(msObj->Id, msObj->request->ParamValues[i], IDSIZE); + continue; + } +@@ -1207,7 +1224,7 @@ + loadForm(); + + if(msObj->SaveMap) { +- sprintf(buffer, "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id); ++ snprintf(buffer, sizeof(buffer), "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id); + if(msSaveMap(msObj->Map, buffer) == -1) writeError(); + } + +diff -urNad mapserver-5.0.3~/mapserver.h mapserver-5.0.3/mapserver.h +--- mapserver-5.0.3~/mapserver.h 2008-06-04 15:43:45.000000000 -0400 ++++ mapserver-5.0.3/mapserver.h 2009-06-08 13:33:31.870603634 -0400 +@@ -150,7 +150,9 @@ + /* General defines, not wrapable */ + #ifndef SWIG + #define MS_DEFAULT_MAPFILE_PATTERN "\\.map$" +-#define MS_TEMPLATE_EXPR "\\.(jsp|asp|cfm|xml|wml|html|htm|shtml|phtml|php|svg)$" ++ ++#define MS_TEMPLATE_MAGIC_STRING "MapServer Template" ++#define MS_TEMPLATE_EXPR "\\.(xml|wml|html|htm|svg|kml|gml|js|tmpl)$" + + #define MS_INDEX_EXTENSION ".qix" + #define MS_QUERY_EXTENSION ".qy" +diff -urNad mapserver-5.0.3~/maptemplate.c mapserver-5.0.3/maptemplate.c +--- mapserver-5.0.3~/maptemplate.c 2007-08-24 14:22:05.000000000 -0400 ++++ mapserver-5.0.3/maptemplate.c 2009-06-08 13:33:31.870603634 -0400 +@@ -40,6 +40,20 @@ + + char *processLine(mapservObj* msObj, char* instr, int mode); + ++static int isValidTemplate(FILE *stream, const char *filename) ++{ ++ char buffer[MS_BUFFER_LENGTH]; ++ ++ if(fgets(buffer, MS_BUFFER_LENGTH, stream) != NULL) { ++ if(!msCaseFindSubstring(buffer, MS_TEMPLATE_MAGIC_STRING)) { ++ msSetError(MS_WEBERR, "Missing magic string, %s doesn't look like a MapServer template.", "isValidTemplate()", filename); ++ return MS_FALSE; ++ } ++ } ++ ++ return MS_TRUE; ++} ++ + /* + * Redirect to (only use in CGI) + * +@@ -200,7 +214,7 @@ + img = msDrawMap(msObj->Map, MS_TRUE); + if(!img) return MS_FAILURE; + +- snprintf(buffer, 1024, "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + + status = msSaveImage(msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; +@@ -211,7 +225,7 @@ + { + img = msDrawLegend(msObj->Map, MS_FALSE); + if(!img) return MS_FAILURE; +- snprintf(buffer, 1024, "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + status = msSaveImage(msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; + msFreeImage(img); +@@ -221,7 +235,7 @@ + { + img = msDrawScalebar(msObj->Map); + if(!img) return MS_FAILURE; +- snprintf(buffer, 1024, "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + status = msSaveImage( msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; + msFreeImage(img); +@@ -231,7 +245,7 @@ + { + img = msDrawReferenceMap(msObj->Map); + if(!img) return MS_FAILURE; +- snprintf(buffer, 1024, "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); ++ snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat)); + status = msSaveImage(msObj->Map, img, buffer); + if(status != MS_SUCCESS) return status; + msFreeImage(img); +@@ -2392,6 +2406,11 @@ + return(NULL); + } + ++ if(isValidTemplate(stream, join->header) != MS_TRUE) { ++ fclose(stream); ++ return NULL; ++ } ++ + /* echo file to the output buffer, no substitutions */ + while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = msStringConcatenate(outbuf, line); + +@@ -2402,7 +2421,12 @@ + msSetError(MS_IOERR, "Error while opening join template file %s.", "processOneToManyJoin()", join->template); + return(NULL); + } +- ++ ++ if(isValidTemplate(stream, join->template) != MS_TRUE) { ++ fclose(stream); ++ return NULL; ++ } ++ + records = MS_TRUE; + } + +@@ -2417,6 +2441,7 @@ + } + + rewind(stream); ++ fgets(line, MS_BUFFER_LENGTH, stream); /* skip the first line since it's the magic string */ + } /* next record */ + + if(records==MS_TRUE && join->footer) { +@@ -2425,6 +2450,11 @@ + return(NULL); + } + ++ if(isValidTemplate(stream, join->footer) != MS_TRUE) { ++ fclose(stream); ++ return NULL; ++ } ++ + /* echo file to the output buffer, no substitutions */ + while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = msStringConcatenate(outbuf, line); + +diff -urNad mapserver-5.0.3~/maptemplate.h mapserver-5.0.3/maptemplate.h +--- mapserver-5.0.3~/maptemplate.h 2007-08-30 09:52:07.000000000 -0400 ++++ mapserver-5.0.3/maptemplate.h 2009-06-08 13:33:31.860604977 -0400 +@@ -33,7 +33,8 @@ + #include "mapserver.h" + #include "maphash.h" + +-#define IDSIZE 128 ++#define IDPATTERN "^[0-9A-Za-z]{1,63}$" ++#define IDSIZE 64 + #define TEMPLATE_TYPE(s) (((strncmp("http://", s, 7) == 0) || (strncmp("https://", s, 8) == 0) || (strncmp("ftp://", s, 6)) == 0) ? MS_URL : MS_FILE) + #define MAXZOOM 25 + #define MINZOOM -25 Property changes on: packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch =================================================================== --- packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch (rev 0) +++ packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch 2009-06-15 13:46:54 UTC (rev 2286) @@ -0,0 +1,38 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02_CVE-2009-0840.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-5.0.3~/cgiutil.c mapserver-5.0.3/cgiutil.c +--- mapserver-5.0.3~/cgiutil.c 2007-08-31 17:40:06.000000000 -0400 ++++ mapserver-5.0.3/cgiutil.c 2009-06-08 13:34:21.651859515 -0400 +@@ -41,7 +41,8 @@ + static char *readPostBody( cgiRequestObj *request ) + { + char *data; +- int data_max, data_len, chunk_size; ++ unsigned int data_max, data_len; ++ int chunk_size; + + msIO_needBinaryStdin(); + +@@ -53,7 +54,7 @@ + data = (char *) malloc(data_max+1); + if( data == NULL ) { + msIO_printf("Content-type: text/html%c%c",10,10); +- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max ); ++ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max ); + exit( 1 ); + } + +@@ -83,7 +84,7 @@ + + if( data == NULL ) { + msIO_printf("Content-type: text/html%c%c",10,10); +- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 ); ++ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 ); + exit(1); + } + } Property changes on: packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch =================================================================== --- packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch (rev 0) +++ packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch 2009-06-15 13:46:54 UTC (rev 2286) @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_CVE-2009-0841.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-5.0.3~/mapserv.c mapserver-5.0.3/mapserv.c +--- mapserver-5.0.3~/mapserv.c 2007-09-10 09:51:19.000000000 -0400 ++++ mapserver-5.0.3/mapserv.c 2009-06-08 13:35:11.130609480 -0400 +@@ -1585,7 +1585,7 @@ + if(msReturnTemplateQuery(msObj, msObj->Map->web.queryformat, NULL) != MS_SUCCESS) writeError(); + + if(msObj->SaveQuery) { +- sprintf(buffer, "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION); ++ snprintf(buffer, sizeof(buffer), "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION); + if((status = msSaveQuery(msObj->Map, buffer)) != MS_SUCCESS) return status; + } + } Property changes on: packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch =================================================================== --- packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch (rev 0) +++ packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch 2009-06-15 13:46:54 UTC (rev 2286) @@ -0,0 +1,120 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_CVE-2009-0842.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-5.0.3~/mapfile.c mapserver-5.0.3/mapfile.c +--- mapserver-5.0.3~/mapfile.c 2008-01-20 11:11:29.000000000 -0500 ++++ mapserver-5.0.3/mapfile.c 2009-06-08 13:35:53.641855604 -0400 +@@ -4228,10 +4228,20 @@ + static int loadMapInternal(mapObj *map) + { + int i,j,k; ++ int foundMapToken=MS_FALSE; ++ int token; + + for(;;) { + +- switch(msyylex()) { ++ token = msyylex(); ++ ++ if(!foundMapToken && token != MAP) { ++ msSetError(MS_IDENTERR, "First token must be MAP, this doesn't look like a mapfile.", "msLoadMap()"); ++ return(MS_FAILURE); ++ } ++ ++ switch(token) { ++ + + case(CONFIG): + { +@@ -4358,6 +4368,7 @@ + if(loadLegend(&(map->legend), map) == -1) return MS_FAILURE; + break; + case(MAP): ++ foundMapToken = MS_TRUE; + break; + case(MAXSIZE): + if(getInteger(&(map->maxsize)) == -1) return MS_FAILURE; +diff -urNad mapserver-5.0.3~/mapsymbol.c mapserver-5.0.3/mapsymbol.c +--- mapserver-5.0.3~/mapsymbol.c 2007-11-08 10:19:29.000000000 -0500 ++++ mapserver-5.0.3/mapsymbol.c 2009-06-08 13:35:53.651858522 -0400 +@@ -616,7 +616,7 @@ + int msLoadSymbolSet(symbolSetObj *symbolset, mapObj *map) + { + int retval = MS_FAILURE; +- ++ + msAcquireLock( TLOCK_PARSER ); + retval = loadSymbolSet( symbolset, map ); + msReleaseLock( TLOCK_PARSER ); +@@ -631,6 +631,9 @@ + int status=1; + char szPath[MS_MAXPATHLEN], *pszSymbolPath=NULL; + ++ int foundSymbolSetToken=MS_FALSE; ++ int token; ++ + if(!symbolset) { + msSetError(MS_SYMERR, "Symbol structure unallocated.", "loadSymbolSet()"); + return(-1); +@@ -657,7 +660,15 @@ + ** Read the symbol file + */ + for(;;) { +- switch(msyylex()) { ++ ++ token = msyylex(); ++ ++ if(!foundSymbolSetToken && token != SYMBOLSET) { ++ msSetError(MS_IDENTERR, "First token must be SYMBOLSET, this doesn't look like a symbol file.", "msLoadSymbolSet()"); ++ return(-1); ++ } ++ ++ switch(token) { + case(END): + case(EOF): + status = 0; +@@ -673,6 +684,7 @@ + symbolset->numsymbols++; + break; + case(SYMBOLSET): ++ foundSymbolSetToken = MS_TRUE; + break; + default: + msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "loadSymbolSet()", msyytext, msyylineno); +diff -urNad mapserver-5.0.3~/tests/symbols.txt mapserver-5.0.3/tests/symbols.txt +--- mapserver-5.0.3~/tests/symbols.txt 2004-11-18 10:07:36.000000000 -0500 ++++ mapserver-5.0.3/tests/symbols.txt 2009-06-08 13:35:53.651858522 -0400 +@@ -1,22 +1,22 @@ +- +-SYMBOL ++SYMBOLSET ++ SYMBOL + NAME 'circle' + TYPE ellipse + FILLED true + POINTS + 1 1 + END +-END ++ END + +-SYMBOL ++ SYMBOL + NAME 'xmarks-png' + TYPE PIXMAP + IMAGE 'xmarks.png' +-END ++ END + +-SYMBOL ++ SYMBOL + NAME 'home-png' + TYPE PIXMAP + IMAGE 'home.png' ++ END + END +- Property changes on: packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch ___________________________________________________________________ Added: svn:executable + * Added: packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch =================================================================== --- packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch (rev 0) +++ packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch 2009-06-15 13:46:54 UTC (rev 2286) @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 05_CVE-2009-0843.dpatch by Alan Boudreault <aboudrea...@mapgears.com> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mapserver-5.0.3~/mapquery.c mapserver-5.0.3/mapquery.c +--- mapserver-5.0.3~/mapquery.c 2008-05-05 10:46:11.000000000 -0400 ++++ mapserver-5.0.3/mapquery.c 2009-06-08 13:36:44.410605642 -0400 +@@ -120,6 +120,11 @@ + return(MS_FAILURE); + } + ++ /* ++ ** Make sure the file at least has the right extension. ++ */ ++ if(msEvalRegex("\\.qy$", filename) != MS_TRUE) return MS_FAILURE; ++ + stream = fopen(filename, "rb"); + if(!stream) { + msSetError(MS_IOERR, "(%s)", "msLoadQuery()", filename); Property changes on: packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch ___________________________________________________________________ Added: svn:executable + * _______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel