Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, The MapServer project has released stable updates for every major release from 5.6.x up fixing a security issue which allows a potential leakage of information through an SQL injection when using TIME filtering in conjunction with PostGIS backends. More information can be found in the dedicated upstream issue: #4834 https://github.com/mapserver/mapserver/issues/4834 I've included the patch for this minor vulnerability from MapServer 6.0.4 in the new mapserver 6.0.1-3.2+deb7u2. Is this acceptable for upload to wheezy-proposed-updates? Kind Regards, Bas
diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog --- mapserver-6.0.1/debian/changelog 2013-09-25 21:15:43.000000000 +0200 +++ mapserver-6.0.1/debian/changelog 2014-01-10 04:15:18.000000000 +0100 @@ -1,3 +1,11 @@ +mapserver (6.0.1-3.2+deb7u2) stable-proposed-updates; urgency=low + + * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the + msPostGISLayerSetTimeFilter function in mappostgis.c. + (closes: #734565) + + -- Bas Couwenberg <sebas...@xs4all.nl> Fri, 10 Jan 2014 03:45:58 +0100 + mapserver (6.0.1-3.2+deb7u1) stable-proposed-updates; urgency=low [ Francesco Paolo Lovergine ] diff -Nru mapserver-6.0.1/debian/patches/cve-2013-7262 mapserver-6.0.1/debian/patches/cve-2013-7262 --- mapserver-6.0.1/debian/patches/cve-2013-7262 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-6.0.1/debian/patches/cve-2013-7262 2014-01-10 03:45:47.000000000 +0100 @@ -0,0 +1,20 @@ +Description: Fix potential SQL Injection with postgis TIME filters. +Origin: https://github.com/mapserver/mapserver/commit/3f0ee57b12d482e0ff5611d05afd32408949f7f9 +Author: Even Rouault <even.roua...@mines-paris.org> +Bug: https://github.com/mapserver/mapserver/issues/4834 +Bug-Debian: http://bugs.debian.org/734565 +Last-Update: 2013-01-08 +--- a/mappostgis.c ++++ b/mappostgis.c +@@ -2961,6 +2961,11 @@ int msPostGISLayerSetTimeFilter(layerObj + if (!lp || !timestring || !timefield) + return MS_FALSE; + ++ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) { ++ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()"); ++ return MS_FALSE; ++ } ++ + if (strstr(timestring, ",") == NULL && + strstr(timestring, "/") == NULL) /* discrete time */ + tmpstimestring = msStrdup(timestring); diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series --- mapserver-6.0.1/debian/patches/series 2013-09-25 21:13:43.000000000 +0200 +++ mapserver-6.0.1/debian/patches/series 2014-01-10 03:45:47.000000000 +0100 @@ -2,3 +2,4 @@ php54 multiarch-libgd contenttype +cve-2013-7262
_______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
