Bug#734829: pu: package mapserver/6.0.1-3.2+deb7u2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
The MapServer project has released stable updates for every major
release from 5.6.x up fixing a security issue which allows a potential
leakage of information through an SQL injection when using TIME filtering in
conjunction with PostGIS backends. More information can be found in the
dedicated upstream issue: #4834
https://github.com/mapserver/mapserver/issues/4834
I've included the patch for this minor vulnerability from MapServer 6.0.4 in
the new mapserver 6.0.1-3.2+deb7u2.
Is this acceptable for upload to wheezy-proposed-updates?
Kind Regards,
Bas
diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog
--- mapserver-6.0.1/debian/changelog 2013-09-25 21:15:43.000000000 +0200
+++ mapserver-6.0.1/debian/changelog 2014-01-10 04:15:18.000000000 +0100
@@ -1,3 +1,11 @@
+mapserver (6.0.1-3.2+deb7u2) stable-proposed-updates; urgency=low
+
+ * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
+ msPostGISLayerSetTimeFilter function in mappostgis.c.
+ (closes: #734565)
+
+ -- Bas Couwenberg <sebastic@xs4all.nl> Fri, 10 Jan 2014 03:45:58 +0100
+
mapserver (6.0.1-3.2+deb7u1) stable-proposed-updates; urgency=low
[ Francesco Paolo Lovergine ]
diff -Nru mapserver-6.0.1/debian/patches/cve-2013-7262 mapserver-6.0.1/debian/patches/cve-2013-7262
--- mapserver-6.0.1/debian/patches/cve-2013-7262 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.0.1/debian/patches/cve-2013-7262 2014-01-10 03:45:47.000000000 +0100
@@ -0,0 +1,20 @@
+Description: Fix potential SQL Injection with postgis TIME filters.
+Origin: https://github.com/mapserver/mapserver/commit/3f0ee57b12d482e0ff5611d05afd32408949f7f9
+Author: Even Rouault <even.rouault@mines-paris.org>
+Bug: https://github.com/mapserver/mapserver/issues/4834
+Bug-Debian: http://bugs.debian.org/734565
+Last-Update: 2013-01-08
+--- a/mappostgis.c
++++ b/mappostgis.c
+@@ -2961,6 +2961,11 @@ int msPostGISLayerSetTimeFilter(layerObj
+ if (!lp || !timestring || !timefield)
+ return MS_FALSE;
+
++ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
++ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
++ return MS_FALSE;
++ }
++
+ if (strstr(timestring, ",") == NULL &&
+ strstr(timestring, "/") == NULL) /* discrete time */
+ tmpstimestring = msStrdup(timestring);
diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series
--- mapserver-6.0.1/debian/patches/series 2013-09-25 21:13:43.000000000 +0200
+++ mapserver-6.0.1/debian/patches/series 2014-01-10 03:45:47.000000000 +0100
@@ -2,3 +2,4 @@
php54
multiarch-libgd
contenttype
+cve-2013-7262
Reply to: