Re: Fixing CVE-2016-9839 for mapserver

To: Sebastiaan Couwenberg <sebastic@xs4all.nl>
Cc: team@security.debian.org, Debian GIS Project <debian-gis@lists.debian.org>
Subject: Re: Fixing CVE-2016-9839 for mapserver
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 6 Dec 2016 06:19:15 +0100
Message-id: <[🔎] 20161206051915.GA1726@lorien.valinor.li>
Mail-followup-to: Sebastiaan Couwenberg <sebastic@xs4all.nl>, team@security.debian.org, Debian GIS Project <debian-gis@lists.debian.org>
In-reply-to: <[🔎] 3414848c-6586-5777-618a-b8a74c57aa5b@xs4all.nl>
References: <[🔎] 3414848c-6586-5777-618a-b8a74c57aa5b@xs4all.nl>

Hi Sebastiaan,

On Tue, Dec 06, 2016 at 12:22:13AM +0100, Sebastiaan Couwenberg wrote:
> Dear Security Team,
> 
> Today the MapServer team has released version 7.0.3 which fixes
> CVE-2016-9839. To quote the release announcement [0]:
> 
> "
>  That issue involves OGR error messages being too verbose in some
>  instances and potentially disclosing sensitive information if the
>  underlying connection fails. In addition we have backported a somewhat
>  similar fix to the 6.x series for PostGIS layers.
> "
> 
> I've already updated the package in unstable, and have cherry-picked the
> commit fixing the issue for OGR & PostGIS layers for the package in
> jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached
> debdiffs.
> 
> The "sensitive information" are the credentials for the database
> configured in the mapfile which are reported in the error message. If
> the database is accessible over the network unauthorized users may gain
> access using the credentials from the error message. An example is
> provided in the the upstream issue [1] for the PostGIS layer, and
> similarly affects the OGR layer [2][3].
> 
> I don't think the issue is remotely exploitable, unless some way to
> force the database connection failure to occur is found. As long as the
> database is only accessible on the localhost, the impact is the issue is
> limited.
> 
> Affected versions:
> 
>  * jessie: 6.4.1-5
>  * wheezy: 6.0.1-3.2+deb7u2
> 
> Fixed versions:
> 
>  * jessie: 6.4.1-5+deb8u1
>  * wheezy: 6.0.1-3.2+deb7u3
> 
> Are these changes OK for upload to security-master?

Thanks for contacting us. I think the issue could be fixed via an
upcoming point release. Can you please schedule it via the upcoming
one? See
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
for respective quidelines.

Regards and thanks a lot for your work, I have updated the
security-tracker entry for CVE-2016-9839 just now.

Salvatore

p.s.: For wheezy LTS, note that this is a separate project, it might be
      that they want to release a DLA, but for that please contact the
      Wheezy LTS team. Contact point: https://wiki.debian.org/LTS .

Reply to:

References:
- Fixing CVE-2016-9839 for mapserver
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

Prev by Date: Fixing CVE-2016-9839 for mapserver
Next by Date: Fixing CVE-2016-9839 for mapserver in wheezy
Previous by thread: Fixing CVE-2016-9839 for mapserver
Next by thread: Fixing CVE-2016-9839 for mapserver in wheezy
Index(es):
- Date
- Thread