[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#781579: marked as done (unblock (pre-approval): postgis/2.1.4+dfsg-3)

Your message dated Wed, 01 Apr 2015 19:41:09 +0100
with message-id <1427913669.1708.47.camel@adam-barratt.org.uk>
and subject line Re: Bug#781579: unblock (pre-approval): postgis/2.1.4+dfsg-3
has caused the Debian Bug report #781579,
regarding unblock (pre-approval): postgis/2.1.4+dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
781579: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781579
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-CC: pkg-grass-devel@lists.alioth.debian.org

Dear Release Team,

I would like to upload postgis-2.1.4+dfsg-3 for jessie via unstable.
This applies a minimally invasive upstream patch to fix a security issue.

Upstream keeps the issue classified, see
http://trac.osgeo.org/postgis/ticket/3094. AFAIUI a possible DoS is
prevented by properly checking JSON input data. Note that the mentioned
backend crash effectively means the database will terminate all pending
connections, roll back transactions, shut down and go through the usual
recovery procedures. Being able to trigger that process just by feeding
invalid GeoJSON data (e.g. via a web service) can certainly be
considered an effective DoS-Attack.

The debdiff is attached.

Kind Regards

Markus Wanner

diff -Nru postgis-2.1.4+dfsg/debian/changelog postgis-2.1.4+dfsg/debian/changelog
--- postgis-2.1.4+dfsg/debian/changelog	2014-10-16 10:37:58.000000000 +0200
+++ postgis-2.1.4+dfsg/debian/changelog	2015-03-31 08:06:43.000000000 +0200
@@ -1,3 +1,11 @@
+postgis (2.1.4+dfsg-3) unstable; urgency=high
+
+  * Add patch geojson-fix-3094.patch, back-ported from the 2.1.7 release,
+    to fix a crash of the database backend process when given invalid
+    GeoJSON data.
+
+ -- Markus Wanner <markus@bluegap.ch>  Mon, 30 Mar 2015 19:40:22 +0200
+
 postgis (2.1.4+dfsg-2) unstable; urgency=medium
 
   * Add Dutch translation by Frans Spiesschaert. Closes: #765409.
diff -Nru postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch
--- postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch	1970-01-01 01:00:00.000000000 +0100
+++ postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch	2015-03-31 08:06:43.000000000 +0200
@@ -0,0 +1,77 @@
+Description: Fix for GeoJSON ingestion
+ Malformed JSON data used to crash the database backend process and
+ especially web services use to pass on such JSON data unexamined.
+Forwarded: not-needed
+Bug: http://trac.osgeo.org/postgis/ticket/3094
+Origin: upstream, http://trac.osgeo.org/postgis/changeset/13400
+Author: Paul Ramsey <pramsey@cleverelephant.ca>
+
+--- a/liblwgeom/lwin_geojson.c
++++ b/liblwgeom/lwin_geojson.c
+@@ -59,7 +59,11 @@
+ 
+ 	if( NULL != json_object_get_object(poTmp) )
+ 	{
+-		assert( NULL != json_object_get_object(poTmp)->head );
++		if( NULL == json_object_get_object(poTmp)->head )
++		{
++			geojson_lwerror("invalid GeoJSON representation", 2);
++			return NULL;
++		}
+ 
+ 		for( it.entry = json_object_get_object(poTmp)->head;
+ 		        ( it.entry ?
+@@ -90,7 +94,12 @@
+ 		const int nSize = json_object_array_length( poObj );
+ 		LWDEBUGF(3, "parse_geojson_coord called for array size %d.", nSize );
+ 
+-
++		if ( nSize < 2 )
++		{
++			geojson_lwerror("Too few ordinates in GeoJSON", 4);
++			return LW_FAILURE;
++		}
++		
+ 		// Read X coordinate
+ 		poObjCoord = json_object_array_get_idx( poObj, 0 );
+ 		pt.x = json_object_get_double( poObjCoord );
+@@ -101,7 +110,7 @@
+ 		pt.y = json_object_get_double( poObjCoord );
+ 		LWDEBUGF(3, "parse_geojson_coord pt.y = %f.", pt.y );
+ 
+-		if( nSize == 3 ) /* should this be >= 3 ? */
++		if( nSize < 2 ) /* should this be >= 3 ? */
+ 		{
+ 			// Read Z coordinate
+ 			poObjCoord = json_object_array_get_idx( poObj, 2 );
+@@ -109,19 +118,27 @@
+ 			LWDEBUGF(3, "parse_geojson_coord pt.z = %f.", pt.z );
+ 			*hasz = LW_TRUE;
+ 		}
+-		else
++		else if ( nSize == 2 )
+ 		{
+ 			*hasz = LW_FALSE;
+ 			/* Initialize Z coordinate, if required */
+ 			if ( FLAGS_GET_Z(pa->flags) ) pt.z = 0.0;
+ 		}
+-
+-		/* TODO: should we account for nSize > 3 ? */
++		else 
++		{
++			/* TODO: should we account for nSize > 3 ? */
++			/* more than 3 coordinates, we're just dropping dimensions here... */
++		}
+ 
+ 		/* Initialize M coordinate, if required */
+ 		if ( FLAGS_GET_M(pa->flags) ) pt.m = 0.0;
+ 
+ 	}
++	else
++	{
++		/* If it's not an array, just don't handle it */
++		return LW_FAILURE;
++	}
+ 
+ 	return ptarray_append_point(pa, &pt, LW_FALSE);
+ }
diff -Nru postgis-2.1.4+dfsg/debian/patches/series postgis-2.1.4+dfsg/debian/patches/series
--- postgis-2.1.4+dfsg/debian/patches/series	2014-09-30 08:02:20.000000000 +0200
+++ postgis-2.1.4+dfsg/debian/patches/series	2015-03-31 08:06:43.000000000 +0200
@@ -9,3 +9,4 @@
 correct-java-version.patch
 strip-invalid-whitespace-in-pom.patch
 fix-hurd-i386-ftbfs.patch
+geojson-fix-3094.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
On Wed, 2015-04-01 at 11:58 +0200, Markus Wanner wrote:
> Control: tags -1 - moreinfo
> 
> uploaded, it hit unstable, so please
> 
> unblock postgis/2.1.4+dfsg-3

Done.

Regards,

Adm

--- End Message ---
Reply to: