Re: Fixing CVE-2017-5522 (stack buffer overflow) for mapserver
On 01/18/2017 10:28 PM, Sébastien Delafond wrote:
> On Jan/18, Sebastiaan Couwenberg wrote:
>> Today the MapServer team has announced the release of version 7.0.4
>> which fixes CVE-2017-5522 (stack buffer overflow). To quote the
>> release announcement [0]:
>>
>> "
>> Today the project team released versions 6.0.6, 6.2.4, 6.4.5 and 7.0.4
>> of MapServer. This is primarily a security release to address
>> CVE-2017-5522. That issue involves a buffer overflow identified by
>> MapServer developers associated with specific WFS get feature requests.
>> "
>>
>> I've already updated the package in unstable, and have cherry-picked
>> the commit fixing the issue for the package in jessie (6.4.1-5+deb8u3)
>> & wheezy (6.0.1-3.2+deb7u3). See the attached debdiffs.
>>
>> The issue may be remotely exploitable with specifically crafted WFS
>> requests.
>>
>> Are these changes OK for upload to security-master?
>
> Yes, please upload, and I'll take care of the DSA.
Thanks, I've uploaded the package to security-master.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Reply to: