Fixing CVE-2017-5522 (stack buffer overflow) for mapserver in wheezy
Dear LTS Team,
Today the MapServer team has announced the release of version 7.0.4
which fixes CVE-2017-5522 (stack buffer overflow). To quote the release
announcement [0]:
"
Today the project team released versions 6.0.6, 6.2.4, 6.4.5 and 7.0.4
of MapServer. This is primarily a security release to address
CVE-2017-5522. That issue involves a buffer overflow identified by
MapServer developers associated with specific WFS get feature requests.
"
I've already updated the package in unstable, and have cherry-picked the
commit fixing the issue for the package in jessie (6.4.1-5+deb8u3) &
wheezy (6.0.1-3.2+deb7u3). See the attached debdiff.
The issue may be remotely exploitable with specifically crafted WFS
requests.
Affected versions:
* wheezy: 6.0.1-3.2+deb7u3
Fixed versions:
* wheezy: 6.0.1-3.2+deb7u4
Are these changes OK for wheezy-security?
[0] https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog
--- mapserver-6.0.1/debian/changelog 2016-12-06 23:42:41.000000000 +0100
+++ mapserver-6.0.1/debian/changelog 2017-01-18 21:47:34.000000000 +0100
@@ -1,3 +1,9 @@
+mapserver (6.0.1-3.2+deb7u4) wheezy-security; urgency=high
+
+ * Add upstream patch to fix CVE-2017-5522 (stack buffer overflow).
+
+ -- Bas Couwenberg <sebastic@debian.org> Wed, 18 Jan 2017 21:47:28 +0100
+
mapserver (6.0.1-3.2+deb7u3) wheezy-security; urgency=high
* Add upstream patch to fix CVE-2016-9839.
diff -Nru mapserver-6.0.1/debian/patches/CVE-2017-5522.patch mapserver-6.0.1/debian/patches/CVE-2017-5522.patch
--- mapserver-6.0.1/debian/patches/CVE-2017-5522.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.0.1/debian/patches/CVE-2017-5522.patch 2017-01-18 21:46:57.000000000 +0100
@@ -0,0 +1,29 @@
+Description: security fix (patch by EvenR)
+ Fixes CVE-2017-5522 (stack buffer overflow)
+Author: Even Rouault <even.rouault@spatialys.com>
+Origin: https://github.com/mapserver/mapserver/commit/cf7a13e62e5c56e4c7f455c1c38037a96dd1019d
+
+--- a/mapogcfilter.c
++++ b/mapogcfilter.c
+@@ -2874,6 +2874,9 @@ char *FLTGetIsLikeComparisonExpression(F
+
+ pszValue = psFilterNode->psRightNode->pszValue;
+ nLength = strlen(pszValue);
++
++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++ return NULL;
+
+ iTmp =0;
+ if (nLength > 0 && pszValue[0] != pszWild[0] &&
+--- a/mapogcfiltercommon.c
++++ b/mapogcfiltercommon.c
+@@ -146,6 +146,9 @@ char *FLTGetIsLikeComparisonCommonExpres
+
+ pszValue = psFilterNode->psRightNode->pszValue;
+ nLength = strlen(pszValue);
++
++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++ return NULL;
+
+ iTmp =0;
+ if (nLength > 0 && pszValue[0] != pszWild[0] &&
diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series
--- mapserver-6.0.1/debian/patches/series 2016-12-06 23:42:41.000000000 +0100
+++ mapserver-6.0.1/debian/patches/series 2017-01-18 21:44:14.000000000 +0100
@@ -4,3 +4,4 @@
contenttype
cve-2013-7262
0001-Backport-4928-and-5356.patch
+CVE-2017-5522.patch
Reply to: