Your message dated Wed, 01 Apr 2015 19:41:09 +0100 with message-id <1427913669.1708.47.camel@adam-barratt.org.uk> and subject line Re: Bug#781579: unblock (pre-approval): postgis/2.1.4+dfsg-3 has caused the Debian Bug report #781579, regarding unblock (pre-approval): postgis/2.1.4+dfsg-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 781579: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781579 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock (pre-approval): postgis/2.1.4+dfsg-3
- From: Markus Wanner <markus@bluegap.ch>
- Date: Tue, 31 Mar 2015 11:14:15 +0200
- Message-id: <551A6567.4040202@bluegap.ch>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-CC: pkg-grass-devel@lists.alioth.debian.org Dear Release Team, I would like to upload postgis-2.1.4+dfsg-3 for jessie via unstable. This applies a minimally invasive upstream patch to fix a security issue. Upstream keeps the issue classified, see http://trac.osgeo.org/postgis/ticket/3094. AFAIUI a possible DoS is prevented by properly checking JSON input data. Note that the mentioned backend crash effectively means the database will terminate all pending connections, roll back transactions, shut down and go through the usual recovery procedures. Being able to trigger that process just by feeding invalid GeoJSON data (e.g. via a web service) can certainly be considered an effective DoS-Attack. The debdiff is attached. Kind Regards Markus Wannerdiff -Nru postgis-2.1.4+dfsg/debian/changelog postgis-2.1.4+dfsg/debian/changelog --- postgis-2.1.4+dfsg/debian/changelog 2014-10-16 10:37:58.000000000 +0200 +++ postgis-2.1.4+dfsg/debian/changelog 2015-03-31 08:06:43.000000000 +0200 @@ -1,3 +1,11 @@ +postgis (2.1.4+dfsg-3) unstable; urgency=high + + * Add patch geojson-fix-3094.patch, back-ported from the 2.1.7 release, + to fix a crash of the database backend process when given invalid + GeoJSON data. + + -- Markus Wanner <markus@bluegap.ch> Mon, 30 Mar 2015 19:40:22 +0200 + postgis (2.1.4+dfsg-2) unstable; urgency=medium * Add Dutch translation by Frans Spiesschaert. Closes: #765409. diff -Nru postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch --- postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch 1970-01-01 01:00:00.000000000 +0100 +++ postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch 2015-03-31 08:06:43.000000000 +0200 @@ -0,0 +1,77 @@ +Description: Fix for GeoJSON ingestion + Malformed JSON data used to crash the database backend process and + especially web services use to pass on such JSON data unexamined. +Forwarded: not-needed +Bug: http://trac.osgeo.org/postgis/ticket/3094 +Origin: upstream, http://trac.osgeo.org/postgis/changeset/13400 +Author: Paul Ramsey <pramsey@cleverelephant.ca> + +--- a/liblwgeom/lwin_geojson.c ++++ b/liblwgeom/lwin_geojson.c +@@ -59,7 +59,11 @@ + + if( NULL != json_object_get_object(poTmp) ) + { +- assert( NULL != json_object_get_object(poTmp)->head ); ++ if( NULL == json_object_get_object(poTmp)->head ) ++ { ++ geojson_lwerror("invalid GeoJSON representation", 2); ++ return NULL; ++ } + + for( it.entry = json_object_get_object(poTmp)->head; + ( it.entry ? +@@ -90,7 +94,12 @@ + const int nSize = json_object_array_length( poObj ); + LWDEBUGF(3, "parse_geojson_coord called for array size %d.", nSize ); + +- ++ if ( nSize < 2 ) ++ { ++ geojson_lwerror("Too few ordinates in GeoJSON", 4); ++ return LW_FAILURE; ++ } ++ + // Read X coordinate + poObjCoord = json_object_array_get_idx( poObj, 0 ); + pt.x = json_object_get_double( poObjCoord ); +@@ -101,7 +110,7 @@ + pt.y = json_object_get_double( poObjCoord ); + LWDEBUGF(3, "parse_geojson_coord pt.y = %f.", pt.y ); + +- if( nSize == 3 ) /* should this be >= 3 ? */ ++ if( nSize < 2 ) /* should this be >= 3 ? */ + { + // Read Z coordinate + poObjCoord = json_object_array_get_idx( poObj, 2 ); +@@ -109,19 +118,27 @@ + LWDEBUGF(3, "parse_geojson_coord pt.z = %f.", pt.z ); + *hasz = LW_TRUE; + } +- else ++ else if ( nSize == 2 ) + { + *hasz = LW_FALSE; + /* Initialize Z coordinate, if required */ + if ( FLAGS_GET_Z(pa->flags) ) pt.z = 0.0; + } +- +- /* TODO: should we account for nSize > 3 ? */ ++ else ++ { ++ /* TODO: should we account for nSize > 3 ? */ ++ /* more than 3 coordinates, we're just dropping dimensions here... */ ++ } + + /* Initialize M coordinate, if required */ + if ( FLAGS_GET_M(pa->flags) ) pt.m = 0.0; + + } ++ else ++ { ++ /* If it's not an array, just don't handle it */ ++ return LW_FAILURE; ++ } + + return ptarray_append_point(pa, &pt, LW_FALSE); + } diff -Nru postgis-2.1.4+dfsg/debian/patches/series postgis-2.1.4+dfsg/debian/patches/series --- postgis-2.1.4+dfsg/debian/patches/series 2014-09-30 08:02:20.000000000 +0200 +++ postgis-2.1.4+dfsg/debian/patches/series 2015-03-31 08:06:43.000000000 +0200 @@ -9,3 +9,4 @@ correct-java-version.patch strip-invalid-whitespace-in-pom.patch fix-hurd-i386-ftbfs.patch +geojson-fix-3094.patchAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Markus Wanner <markus@bluegap.ch>, 781579-done@bugs.debian.org
- Subject: Re: Bug#781579: unblock (pre-approval): postgis/2.1.4+dfsg-3
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Wed, 01 Apr 2015 19:41:09 +0100
- Message-id: <1427913669.1708.47.camel@adam-barratt.org.uk>
- In-reply-to: <[🔎] 551BC155.5060801@bluegap.ch>
- References: <551A6567.4040202@bluegap.ch> <1427823337.1708.36.camel@adam-barratt.org.uk> <[🔎] 551BC155.5060801@bluegap.ch>
On Wed, 2015-04-01 at 11:58 +0200, Markus Wanner wrote: > Control: tags -1 - moreinfo > > uploaded, it hit unstable, so please > > unblock postgis/2.1.4+dfsg-3 Done. Regards, Adm
--- End Message ---