Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
On 5/31/21 8:27 AM, Sebastian Ramacher wrote:
> On 2021-05-31 08:17:25 +0200, Sebastiaan Couwenberg wrote:
>> On 5/31/21 8:07 AM, Sebastian Ramacher wrote:
>>> On 2021-05-31 05:38:15 +0200, Sebastiaan Couwenberg wrote:
>>>> On 5/30/21 9:12 PM, Salvatore Bonaccorso wrote:
>>>>> Sebastiaan, Sebastian,
>>>>>
>>>>> On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote:
>>>>>> Control: tags -1 - moreinfo
>>>>>>
>>>>>> On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
>>>>>>> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
>>>>>>>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
>>>>>>>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
>>>>>>>>>> Package: release.debian.org
>>>>>>>>>> Severity: normal
>>>>>>>>>> User: release.debian.org@packages.debian.org
>>>>>>>>>> Usertags: unblock
>>>>>>>>>>
>>>>>>>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
>>>>>>>>>>
>>>>>>>>>> [ Reason ]
>>>>>>>>>> Fix security issue.
>>>>>>>>>>
>>>>>>>>>> [ Impact ]
>>>>>>>>>> Unfixed security issue.
>>>>>>>>>>
>>>>>>>>>> [ Tests ]
>>>>>>>>>> Upstream CI.
>>>>>>>>>>
>>>>>>>>>> [ Risks ]
>>>>>>>>>> Low, leaf package.
>>>>>>>>>>
>>>>>>>>>> [ Checklist ]
>>>>>>>>>> [x] all changes are documented in the d/changelog
>>>>>>>>>> [x] I reviewed all changes and I approve them
>>>>>>>>>> [x] attach debdiff against the package in testing
>>>>>>>>>>
>>>>>>>>>> [ Other info ]
>>>>>>>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
>>>>>>>>>>
>>>>>>>>>> unblock mapserver/7.6.2-2
>>>>>>>>>
>>>>>>>>>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
>>>>>>>>>> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
>>>>>>>>>> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
>>>>>>>>>> @@ -1,3 +1,12 @@
>>>>>>>>>> +mapserver (7.6.2-2) unstable; urgency=high
>>>>>>>>>> +
>>>>>>>>>> + * Drop unused lintian overrides.
>>>>>>>>>> + * Add upstream patches to fix CVE-2021-32062.
>>>>>>>>>> + (closes: #988208)
>>>>>>>>>> + * Update symbols file.
>>>>>>>>>> +
>>>>>>>>>> + -- Bas Couwenberg <sebastic@debian.org> Sat, 08 May 2021 07:12:18 +0200
>>>>>>>>>> +
>>>>>>>>>> mapserver (7.6.2-1) unstable; urgency=medium
>>>>>>>>>>
>>>>>>>>>> * Update symbols for other architectures.
>>>>>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
>>>>>>>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
>>>>>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
>>>>>>>>>> @@ -1,3 +0,0 @@
>>>>>>>>>> -# Cannot easily be fixed
>>>>>>>>>> -file-references-package-build-path *
>>>>>>>>>> -
>>>>>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
>>>>>>>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
>>>>>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
>>>>>>>>>> @@ -945,6 +945,7 @@
>>>>>>>>>> msCSVJoinPrepare@Base 6.2.1
>>>>>>>>>> msCairoCleanup@Base 6.2.1
>>>>>>>>>> msCalculateScale@Base 6.2.1
>>>>>>>>>> + msCaseEvalRegex@Base 7.6.2
>>>>>>>>>> msCaseReplaceSubstring@Base 6.2.1
>>>>>>>>>> msCheckLabelMinDistance@Base 7.0.0
>>>>>>>>>> msCheckParentPointer@Base 6.2.1
>>>>>>>>>> @@ -1418,6 +1419,7 @@
>>>>>>>>>> msIsGlyphASpace@Base 7.2.0
>>>>>>>>>> msIsLayerQueryable@Base 6.2.1
>>>>>>>>>> msIsOuterRing@Base 6.2.1
>>>>>>>>>> + msIsValidRegex@Base 7.6.2
>>>>>>>>>
>>>>>>>>> This version is not high enough. The symbols need to be marked as
>>>>>>>>> requiring 7.6.2-2~
>>>>>>>>
>>>>>>>> There are no rdeps of mapserver in Debian, so no users of the symbols file.
>>>>>>>
>>>>>>> It's technically wrong. If you introduce symbols with a patch, the
>>>>>>> symbols need to be properly versioned. After all, there is a user of the
>>>>>>> symbols file and that is mapserver itself. If you have to introduce
>>>>>>> calls to those two symbols outside of libmapserver in the next patch,
>>>>>>> the dependency on libmapserver is wrong.
>>>>>>
>>>>>> libmapserver-dev already depends on libmapserver2 with (=
>>>>>> ${binary:Version}).
>>>>>>
>>>>>> None of the other binary packages require symbols introduced after 7.0.5.
>>>>>>
>>>>>> All the code using msCaseEvalRegex & msIsValidRegex is within
>>>>>> libmapserver itself.
>>>>>>
>>>>>> While strictly speaking the version in the symbols file should include
>>>>>> the revision, its not required in this case because nothing outside
>>>>>> libmapserver uses it.
>>>>>>
>>>>>>>>> Please remove the moreinfo tag once that fixed version is available in
>>>>>>>>> unstable.
>>>>>>>>
>>>>>>>> mapserver (7.6.2-2) has been uploaded to unstable without further
>>>>>>>> changes to the symbols file.
>>>>>>>
>>>>>>> Again, please remove the moreinfo tag only once a fixed version is
>>>>>>> available in unstable.
>>>>>>
>>>>>> There is no need for further changes in unstable.
>>>>>
>>>>> Sebastian (the release team member), is there anything from the above
>>>>> which you still want the maintainer to be adressed? Sebastiaan, my
>>>>> unerstanding is that Sebastian wuld like to see the above changes done
>>>>> for mapserver to be unblocked.
>>>>
>>>> That's my understanding too, but the additional information provided
>>>> should make clear that those changes are not required.
>>>
>>> I think I said it twice (from #988224#24):
>>
>> There is no message #24 in #988224.
>
> Sorry, #26: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224#26
And my reply to that is #33:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224#33
>>>>>> Please remove the moreinfo tag once that fixed version is available in
>>>>>> unstable.
>>>>>
>>>>> mapserver (7.6.2-2) has been uploaded to unstable without further
>>>>> changes to the symbols file.
>>>>
>>>> Again, please remove the moreinfo tag only once a fixed version is
>>>> available in unstable.
>>>
>>> I want these symbols fixed.
>>
>> There is no need for that.
>>
>> Perhaps we should just close this issue as wontfix, I'm not going to
>> change the symbols version for pedantic reasons.
>
> If you are unwilling to fix a potential RC bug waiting to happen, then
> yes, let's close it.
Your "potential RC bug waiting to happen" is entirely hypothetical, the
two symbols are publicly exported and as such the version in the symbols
file should include the Debian revision per the dpkg-gensymbols
documentation [0] (which should also avoid the
symbols-file-contains-debian-revision lintian issue).
But because there are no users of these two symbols outside
libmapserver, not even other binary packages built from the mapserver
source package as you were expecting, adding the Debian revision is not
required. Insisting on having the Debian revision in the symbols version
with that knowledge is just being pedantic.
I regret the time spent on this (minor) security issue to not have it
affect the upcoming stable release. In retrospect I shouldn't have
bothered for a no-dsa issue.
[0]
https://manpages.debian.org/buster/dpkg-dev/dpkg-gensymbols.1.en.html#MAINTAINING_SYMBOLS_FILES
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Reply to: