Re: Fixing CVE-2016-9839 for mapserver
Hi Sebastiaan,
On Tue, Dec 06, 2016 at 12:22:13AM +0100, Sebastiaan Couwenberg wrote:
> Dear Security Team,
>
> Today the MapServer team has released version 7.0.3 which fixes
> CVE-2016-9839. To quote the release announcement [0]:
>
> "
> That issue involves OGR error messages being too verbose in some
> instances and potentially disclosing sensitive information if the
> underlying connection fails. In addition we have backported a somewhat
> similar fix to the 6.x series for PostGIS layers.
> "
>
> I've already updated the package in unstable, and have cherry-picked the
> commit fixing the issue for OGR & PostGIS layers for the package in
> jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached
> debdiffs.
>
> The "sensitive information" are the credentials for the database
> configured in the mapfile which are reported in the error message. If
> the database is accessible over the network unauthorized users may gain
> access using the credentials from the error message. An example is
> provided in the the upstream issue [1] for the PostGIS layer, and
> similarly affects the OGR layer [2][3].
>
> I don't think the issue is remotely exploitable, unless some way to
> force the database connection failure to occur is found. As long as the
> database is only accessible on the localhost, the impact is the issue is
> limited.
>
> Affected versions:
>
> * jessie: 6.4.1-5
> * wheezy: 6.0.1-3.2+deb7u2
>
> Fixed versions:
>
> * jessie: 6.4.1-5+deb8u1
> * wheezy: 6.0.1-3.2+deb7u3
>
> Are these changes OK for upload to security-master?
Thanks for contacting us. I think the issue could be fixed via an
upcoming point release. Can you please schedule it via the upcoming
one? See
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
for respective quidelines.
Regards and thanks a lot for your work, I have updated the
security-tracker entry for CVE-2016-9839 just now.
Salvatore
p.s.: For wheezy LTS, note that this is a separate project, it might be
that they want to release a DLA, but for that please contact the
Wheezy LTS team. Contact point: https://wiki.debian.org/LTS .
Reply to: