Fixing CVE-2017-5522 (stack buffer overflow) for mapserver
Dear Security Team,
Today the MapServer team has announced the release of version 7.0.4
which fixes CVE-2017-5522 (stack buffer overflow). To quote the release
announcement [0]:
"
Today the project team released versions 6.0.6, 6.2.4, 6.4.5 and 7.0.4
of MapServer. This is primarily a security release to address
CVE-2017-5522. That issue involves a buffer overflow identified by
MapServer developers associated with specific WFS get feature requests.
"
I've already updated the package in unstable, and have cherry-picked the
commit fixing the issue for the package in jessie (6.4.1-5+deb8u3) &
wheezy (6.0.1-3.2+deb7u3). See the attached debdiffs.
The issue may be remotely exploitable with specifically crafted WFS
requests.
Affected versions:
* jessie: 6.4.1-5+deb8u2
* wheezy: 6.0.1-3.2+deb7u3
Fixed versions:
* jessie: 6.4.1-5+deb8u3
* wheezy: 6.0.1-3.2+deb7u4
Are these changes OK for upload to security-master?
I'll contact the LTS team for wheezy.
[0] https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog
--- mapserver-6.0.1/debian/changelog 2016-12-06 23:42:41.000000000 +0100
+++ mapserver-6.0.1/debian/changelog 2017-01-18 21:47:34.000000000 +0100
@@ -1,3 +1,9 @@
+mapserver (6.0.1-3.2+deb7u4) wheezy-security; urgency=high
+
+ * Add upstream patch to fix CVE-2017-5522 (stack buffer overflow).
+
+ -- Bas Couwenberg <sebastic@debian.org> Wed, 18 Jan 2017 21:47:28 +0100
+
mapserver (6.0.1-3.2+deb7u3) wheezy-security; urgency=high
* Add upstream patch to fix CVE-2016-9839.
diff -Nru mapserver-6.0.1/debian/patches/CVE-2017-5522.patch mapserver-6.0.1/debian/patches/CVE-2017-5522.patch
--- mapserver-6.0.1/debian/patches/CVE-2017-5522.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.0.1/debian/patches/CVE-2017-5522.patch 2017-01-18 21:46:57.000000000 +0100
@@ -0,0 +1,29 @@
+Description: security fix (patch by EvenR)
+ Fixes CVE-2017-5522 (stack buffer overflow)
+Author: Even Rouault <even.rouault@spatialys.com>
+Origin: https://github.com/mapserver/mapserver/commit/cf7a13e62e5c56e4c7f455c1c38037a96dd1019d
+
+--- a/mapogcfilter.c
++++ b/mapogcfilter.c
+@@ -2874,6 +2874,9 @@ char *FLTGetIsLikeComparisonExpression(F
+
+ pszValue = psFilterNode->psRightNode->pszValue;
+ nLength = strlen(pszValue);
++
++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++ return NULL;
+
+ iTmp =0;
+ if (nLength > 0 && pszValue[0] != pszWild[0] &&
+--- a/mapogcfiltercommon.c
++++ b/mapogcfiltercommon.c
+@@ -146,6 +146,9 @@ char *FLTGetIsLikeComparisonCommonExpres
+
+ pszValue = psFilterNode->psRightNode->pszValue;
+ nLength = strlen(pszValue);
++
++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++ return NULL;
+
+ iTmp =0;
+ if (nLength > 0 && pszValue[0] != pszWild[0] &&
diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series
--- mapserver-6.0.1/debian/patches/series 2016-12-06 23:42:41.000000000 +0100
+++ mapserver-6.0.1/debian/patches/series 2017-01-18 21:44:14.000000000 +0100
@@ -4,3 +4,4 @@
contenttype
cve-2013-7262
0001-Backport-4928-and-5356.patch
+CVE-2017-5522.patch
diff -Nru mapserver-6.4.1/debian/changelog mapserver-6.4.1/debian/changelog
--- mapserver-6.4.1/debian/changelog 2017-01-07 10:58:16.000000000 +0100
+++ mapserver-6.4.1/debian/changelog 2017-01-18 21:32:40.000000000 +0100
@@ -1,3 +1,9 @@
+mapserver (6.4.1-5+deb8u3) jessie-security; urgency=high
+
+ * Add upstream patch to fix CVE-2017-5522 (stack buffer overflow).
+
+ -- Bas Couwenberg <sebastic@debian.org> Wed, 18 Jan 2017 21:31:18 +0100
+
mapserver (6.4.1-5+deb8u2) stable; urgency=medium
* Add upstream patch to fix FTBFS with php >= 5.6.25.
diff -Nru mapserver-6.4.1/debian/patches/CVE-2017-5522.patch mapserver-6.4.1/debian/patches/CVE-2017-5522.patch
--- mapserver-6.4.1/debian/patches/CVE-2017-5522.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.4.1/debian/patches/CVE-2017-5522.patch 2017-01-18 21:30:33.000000000 +0100
@@ -0,0 +1,29 @@
+Description: security fix (patch by EvenR)
+ Fixes CVE-2017-5522 (stack buffer overflow)
+Author: Even Rouault <even.rouault@spatialys.com>
+Origin: https://github.com/mapserver/mapserver/commit/fb00f8149898fcf9fcb490a179984e481248f066
+ https://github.com/mapserver/mapserver/commit/f096b132e58cdfe2714ce372e9f4f7c76d72c5ec
+
+--- a/mapogcfilter.c
++++ b/mapogcfilter.c
+@@ -2853,6 +2853,9 @@ char *FLTGetIsLikeComparisonExpression(F
+ pszValue = psFilterNode->psRightNode->pszValue;
+ nLength = strlen(pszValue);
+
++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++ return NULL;
++
+ iTmp =0;
+ if (nLength > 0 && pszValue[0] != pszWild[0] &&
+ pszValue[0] != pszSingle[0] &&
+--- a/mapogcfiltercommon.c
++++ b/mapogcfiltercommon.c
+@@ -93,6 +93,8 @@ char *FLTGetIsLikeComparisonCommonExpres
+
+ pszValue = psFilterNode->psRightNode->pszValue;
+ nLength = strlen(pszValue);
++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++ return NULL;
+
+ iTmp =0;
+ if (nLength > 0 && pszValue[0] != pszWild[0] &&
diff -Nru mapserver-6.4.1/debian/patches/series mapserver-6.4.1/debian/patches/series
--- mapserver-6.4.1/debian/patches/series 2017-01-07 10:00:07.000000000 +0100
+++ mapserver-6.4.1/debian/patches/series 2017-01-18 21:27:42.000000000 +0100
@@ -7,3 +7,4 @@
php56.patch
0001-Backport-4928-and-5356.patch
0001-Fix-build-issue-with-php-5.6.25-5318.patch
+CVE-2017-5522.patch
Reply to: