[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing CVE-2017-5522 (stack buffer overflow) for mapserver

On Jan/18, Sebastiaan Couwenberg wrote:
> Today the MapServer team has announced the release of version 7.0.4
> which fixes CVE-2017-5522 (stack buffer overflow). To quote the
> release announcement [0]:
> 
> "
>  Today the project team released versions 6.0.6, 6.2.4, 6.4.5 and 7.0.4
>  of MapServer. This is primarily a security release to address
>  CVE-2017-5522. That issue involves a buffer overflow identified by
>  MapServer developers associated with specific WFS get feature requests.
> "
> 
> I've already updated the package in unstable, and have cherry-picked
> the commit fixing the issue for the package in jessie (6.4.1-5+deb8u3)
> & wheezy (6.0.1-3.2+deb7u3). See the attached debdiffs.
> 
> The issue may be remotely exploitable with specifically crafted WFS
> requests.
> 
> Are these changes OK for upload to security-master?

Yes, please upload, and I'll take care of the DSA.

Cheers,

--Seb
Reply to: