Fixing CVE-2016-9839 for mapserver in wheezy
Dear LTS Team,
Yesterday the MapServer team has released version 7.0.3 which fixes
CVE-2016-9839. To quote the release announcement [0]:
"
That issue involves OGR error messages being too verbose in some
instances and potentially disclosing sensitive information if the
underlying connection fails. In addition we have backported a somewhat
similar fix to the 6.x series for PostGIS layers.
"
I've already updated the package in unstable, and have cherry-picked the
commit fixing the issue for OGR & PostGIS layers for the package in
jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached
debdiffs.
The "sensitive information" are the credentials for the database
configured in the mapfile which are reported in the error message. If
the database is accessible over the network unauthorized users may gain
access using the credentials from the error message. An example is
provided in the the upstream issue [1] for the PostGIS layer, and
similarly affects the OGR layer [2][3].
I don't think the issue is remotely exploitable, unless some way to
force the database connection failure to occur is found. As long as the
database is only accessible on the localhost, the impact is the issue is
limited.
Are these changes OK for wheezy-lts? The security team did not consider
it severe enough for a DSA, see:
https://lists.debian.org/debian-gis/2016/12/msg00001.html
[0]
https://lists.osgeo.org/pipermail/mapserver-dev/2016-December/014979.html
[1] https://github.com/mapserver/mapserver/pull/4928
[2] https://github.com/mapserver/mapserver/pull/5356
[3]
http://gis.stackexchange.com/questions/219426/mapserver-hide-ogr-exception
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog
--- mapserver-6.0.1/debian/changelog 2014-01-10 04:15:18.000000000 +0100
+++ mapserver-6.0.1/debian/changelog 2016-12-05 23:15:27.000000000 +0100
@@ -1,3 +1,9 @@
+mapserver (6.0.1-3.2+deb7u3) wheezy-security; urgency=high
+
+ * Add upstream patch to fix CVE-2016-9839.
+
+ -- Bas Couwenberg <sebastic@debian.org> Mon, 05 Dec 2016 22:19:20 +0100
+
mapserver (6.0.1-3.2+deb7u2) stable-proposed-updates; urgency=low
* Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
diff -Nru mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch
--- mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.0.1/debian/patches/0001-Backport-4928-and-5356.patch 2016-12-05 23:15:27.000000000 +0100
@@ -0,0 +1,97 @@
+From 889971607c1d01ff95bc45d1ba44bd92ba5aafb2 Mon Sep 17 00:00:00 2001
+From: Thomas Bonfort <thomas.bonfort@gmail.com>
+Date: Thu, 1 Dec 2016 18:59:05 +0100
+Subject: Backport #4928 and #5356
+
+---
+ mapogr.cpp | 34 ++++++++++++++++++++--------------
+ mappostgis.c | 3 ++-
+ 2 files changed, 22 insertions(+), 15 deletions(-)
+
+--- a/mapogr.cpp
++++ b/mapogr.cpp
+@@ -1408,16 +1408,14 @@ msOGRFileOpen(layerObj *layer, const cha
+
+ if( hDS == NULL )
+ {
+- if( strlen(CPLGetLastErrorMsg()) == 0 )
+- msSetError(MS_OGRERR,
+- "Open failed for OGR connection in layer `%s'. "
+- "File not found or unsupported format.",
+- "msOGRFileOpen()",
+- layer->name?layer->name:"(null)" );
+- else
+- msSetError(MS_OGRERR,
++ msSetError(MS_OGRERR,
++ "Open failed for OGR connection in layer `%s'. "
++ "Check logs.",
++ "msOGRFileOpen()",
++ layer->name?layer->name:"(null)" );
++ if( strlen(CPLGetLastErrorMsg()) != 0 )
++ msDebug(
+ "Open failed for OGR connection in layer `%s'.\n%s\n",
+- "msOGRFileOpen()",
+ layer->name?layer->name:"(null)",
+ CPLGetLastErrorMsg() );
+ CPLFree( pszDSName );
+@@ -1467,8 +1465,11 @@ msOGRFileOpen(layerObj *layer, const cha
+ if( hLayer == NULL )
+ {
+ msSetError(MS_OGRERR,
+- "ExecuteSQL(%s) failed.\n%s",
++ "ExecuteSQL(%s) failed. Check logs",
+ "msOGRFileOpen()",
++ pszLayerDef);
++ msDebug(
++ "ExecuteSQL(%s) failed.\n%s",
+ pszLayerDef, CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ msConnPoolRelease( layer, hDS );
+@@ -1481,8 +1482,10 @@ msOGRFileOpen(layerObj *layer, const cha
+
+ if (hLayer == NULL)
+ {
+- msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.",
++ msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.",
+ "msOGRFileOpen()",
++ pszLayerDef);
++ msDebug("GetLayer(%s) failed for OGR connection `%s'.",
+ pszLayerDef, connection );
+ CPLFree( pszLayerDef );
+ msConnPoolRelease( layer, hDS );
+@@ -1635,8 +1638,11 @@ static int msOGRFileWhichShapes(layerObj
+ != OGRERR_NONE )
+ {
+ msSetError(MS_OGRERR,
+- "SetAttributeFilter(%s) failed on layer %s.\n%s",
++ "SetAttributeFilter(%s) failed on layer %s.",
+ "msOGRFileWhichShapes()",
++ layer->filter.string+6, layer->name?layer->name:"(null)");
++ msDebug(
++ "SetAttributeFilter(%s) failed on layer %s.\n%s",
+ layer->filter.string+6, layer->name?layer->name:"(null)",
+ CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+@@ -1852,8 +1858,8 @@ msOGRFileNextShape(layerObj *layer, shap
+ psInfo->last_record_index_read = -1;
+ if( CPLGetLastErrorType() == CE_Failure )
+ {
+- msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()",
+- CPLGetLastErrorMsg() );
++ msSetError(MS_OGRERR, "error. check logs", "msOGRFileNextShape()");
++ msDebug("%s", CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ return MS_FAILURE;
+ }
+--- a/mappostgis.c
++++ b/mappostgis.c
+@@ -2237,7 +2237,8 @@ int msPostGISLayerOpen(layerObj *layer)
+ }
+ }
+
+- msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata);
++ msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata);
++ msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()");
+
+ free(maskeddata);
+ free(layerinfo);
diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series
--- mapserver-6.0.1/debian/patches/series 2014-01-10 03:45:47.000000000 +0100
+++ mapserver-6.0.1/debian/patches/series 2016-12-05 23:15:27.000000000 +0100
@@ -3,3 +3,4 @@
multiarch-libgd
contenttype
cve-2013-7262
+0001-Backport-4928-and-5356.patch
diff -Nru mapserver-6.4.1/debian/changelog mapserver-6.4.1/debian/changelog
--- mapserver-6.4.1/debian/changelog 2014-07-05 17:32:59.000000000 +0200
+++ mapserver-6.4.1/debian/changelog 2016-12-05 23:54:59.000000000 +0100
@@ -1,3 +1,9 @@
+mapserver (6.4.1-5+deb8u1) jessie-security; urgency=high
+
+ * Add upstream patch to fix CVE-2016-9839.
+
+ -- Bas Couwenberg <sebastic@debian.org> Mon, 05 Dec 2016 22:05:30 +0100
+
mapserver (6.4.1-5) unstable; urgency=medium
* Add debug package for libmapserver. Thanks to Frederic Junod for the patch.
diff -Nru mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch
--- mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch 2016-12-05 23:53:24.000000000 +0100
@@ -0,0 +1,120 @@
+From 022d24bd34196b6dca67053fb797a6980210bc54 Mon Sep 17 00:00:00 2001
+From: Thomas Bonfort <thomas.bonfort@gmail.com>
+Date: Thu, 1 Dec 2016 18:59:05 +0100
+Subject: Backport #4928 and #5356
+
+---
+ mapogr.cpp | 52 ++++++++++++++++++++++++++++------------------------
+ mappostgis.c | 4 ++--
+ 2 files changed, 30 insertions(+), 26 deletions(-)
+
+--- a/mapogr.cpp
++++ b/mapogr.cpp
+@@ -1118,18 +1118,15 @@ msOGRFileOpen(layerObj *layer, const cha
+ RELEASE_OGR_LOCK;
+
+ if( hDS == NULL ) {
+- if( strlen(CPLGetLastErrorMsg()) == 0 )
+- msSetError(MS_OGRERR,
+- "Open failed for OGR connection in layer `%s'. "
+- "File not found or unsupported format.",
+- "msOGRFileOpen()",
+- layer->name?layer->name:"(null)" );
+- else
+- msSetError(MS_OGRERR,
+- "Open failed for OGR connection in layer `%s'.\n%s\n",
+- "msOGRFileOpen()",
+- layer->name?layer->name:"(null)",
+- CPLGetLastErrorMsg() );
++ msSetError(MS_OGRERR,
++ "Open failed for OGR connection in layer `%s'. "
++ "Check logs.",
++ "msOGRFileOpen()",
++ layer->name?layer->name:"(null)" );
++ if( strlen(CPLGetLastErrorMsg()) != 0 )
++ msDebug("Open failed for OGR connection in layer `%s'.\n%s\n",
++ layer->name?layer->name:"(null)",
++ CPLGetLastErrorMsg() );
+ CPLFree( pszDSName );
+ CPLFree( pszLayerDef );
+ return NULL;
+@@ -1154,10 +1151,13 @@ msOGRFileOpen(layerObj *layer, const cha
+ ACQUIRE_OGR_LOCK;
+ hLayer = OGR_DS_ExecuteSQL( hDS, pszLayerDef, NULL, NULL );
+ if( hLayer == NULL ) {
+- msSetError(MS_OGRERR,
+- "ExecuteSQL(%s) failed.\n%s",
+- "msOGRFileOpen()",
+- pszLayerDef, CPLGetLastErrorMsg() );
++ msSetError(MS_OGRERR,
++ "ExecuteSQL(%s) failed. Check logs",
++ "msOGRFileOpen()",
++ pszLayerDef);
++ msDebug(
++ "ExecuteSQL(%s) failed.\n%s",
++ pszLayerDef, CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ msConnPoolRelease( layer, hDS );
+ CPLFree( pszLayerDef );
+@@ -1189,9 +1189,11 @@ msOGRFileOpen(layerObj *layer, const cha
+ }
+
+ if (hLayer == NULL) {
+- msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.",
+- "msOGRFileOpen()",
+- pszLayerDef, connection );
++ msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.",
++ "msOGRFileOpen()",
++ pszLayerDef);
++ msDebug("GetLayer(%s) failed for OGR connection `%s'.",
++ pszLayerDef, connection );
+ CPLFree( pszLayerDef );
+ msConnPoolRelease( layer, hDS );
+ return NULL;
+@@ -1356,10 +1358,12 @@ static int msOGRFileWhichShapes(layerObj
+ if( OGR_L_SetAttributeFilter( psInfo->hLayer, layer->filter.string+6 )
+ != OGRERR_NONE ) {
+ msSetError(MS_OGRERR,
+- "SetAttributeFilter(%s) failed on layer %s.\n%s",
++ "SetAttributeFilter(%s) failed on layer %s.",
+ "msOGRFileWhichShapes()",
+- layer->filter.string+6, layer->name?layer->name:"(null)",
+- CPLGetLastErrorMsg() );
++ layer->filter.string+6, layer->name?layer->name:"(null)");
++ msDebug("SetAttributeFilter(%s) failed on layer %s.\n%s",
++ layer->filter.string+6, layer->name?layer->name:"(null)",
++ CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ return MS_FAILURE;
+ }
+@@ -1562,8 +1566,8 @@ msOGRFileNextShape(layerObj *layer, shap
+ if( (hFeature = OGR_L_GetNextFeature( psInfo->hLayer )) == NULL ) {
+ psInfo->last_record_index_read = -1;
+ if( CPLGetLastErrorType() == CE_Failure ) {
+- msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()",
+- CPLGetLastErrorMsg() );
++ msSetError(MS_OGRERR, "OGR error. check logs", "msOGRFileNextShape()");
++ msDebug("msOGRFileNextShape() error: %s", CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ return MS_FAILURE;
+ } else {
+--- a/mappostgis.c
++++ b/mappostgis.c
+@@ -2305,7 +2305,8 @@ int msPostGISLayerOpen(layerObj *layer)
+ }
+ }
+
+- msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata);
++ msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata);
++ msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()");
+
+ free(maskeddata);
+ free(layerinfo);
+@@ -2327,7 +2328,6 @@ int msPostGISLayerOpen(layerObj *layer)
+ msSetError(MS_QUERYERR, "PostgreSQL database connection gone bad (%s)", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn));
+ return MS_FAILURE;
+ }
+-
+ }
+ }
+
diff -Nru mapserver-6.4.1/debian/patches/series mapserver-6.4.1/debian/patches/series
--- mapserver-6.4.1/debian/patches/series 2014-07-05 17:32:59.000000000 +0200
+++ mapserver-6.4.1/debian/patches/series 2016-12-05 23:54:14.000000000 +0100
@@ -5,3 +5,4 @@
cmake-mapserver-export.patch
java-hardening.patch
php56.patch
+0001-Backport-4928-and-5356.patch
Reply to: