[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#847273: marked as done (jessie-pu: package mapserver/6.4.1-5)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #847273,
regarding jessie-pu: package mapserver/6.4.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
847273: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847273
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

To fix CVE-2016-9839 I'd like to update mapserver in jessie via
proposed-dates as the security team did not consider it severe enough
for a DSA, see:

 https://lists.debian.org/debian-gis/2016/12/msg00001.html

Kind Regards,

Bas

diff -Nru mapserver-6.4.1/debian/changelog mapserver-6.4.1/debian/changelog
--- mapserver-6.4.1/debian/changelog	2014-07-05 17:32:59.000000000 +0200
+++ mapserver-6.4.1/debian/changelog	2016-12-05 23:54:59.000000000 +0100
@@ -1,3 +1,9 @@
+mapserver (6.4.1-5+deb8u1) jessie-security; urgency=high
+
+  * Add upstream patch to fix CVE-2016-9839.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Mon, 05 Dec 2016 22:05:30 +0100
+
 mapserver (6.4.1-5) unstable; urgency=medium
 
   * Add debug package for libmapserver. Thanks to Frederic Junod for the patch.
diff -Nru mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch
--- mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch	1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch	2016-12-05 23:53:24.000000000 +0100
@@ -0,0 +1,120 @@
+From 022d24bd34196b6dca67053fb797a6980210bc54 Mon Sep 17 00:00:00 2001
+From: Thomas Bonfort <thomas.bonfort@gmail.com>
+Date: Thu, 1 Dec 2016 18:59:05 +0100
+Subject: Backport #4928 and #5356
+
+---
+ mapogr.cpp   | 52 ++++++++++++++++++++++++++++------------------------
+ mappostgis.c |  4 ++--
+ 2 files changed, 30 insertions(+), 26 deletions(-)
+
+--- a/mapogr.cpp
++++ b/mapogr.cpp
+@@ -1118,18 +1118,15 @@ msOGRFileOpen(layerObj *layer, const cha
+     RELEASE_OGR_LOCK;
+ 
+     if( hDS == NULL ) {
+-      if( strlen(CPLGetLastErrorMsg()) == 0 )
+-        msSetError(MS_OGRERR,
+-                   "Open failed for OGR connection in layer `%s'.  "
+-                   "File not found or unsupported format.",
+-                   "msOGRFileOpen()",
+-                   layer->name?layer->name:"(null)" );
+-      else
+-        msSetError(MS_OGRERR,
+-                   "Open failed for OGR connection in layer `%s'.\n%s\n",
+-                   "msOGRFileOpen()",
+-                   layer->name?layer->name:"(null)",
+-                   CPLGetLastErrorMsg() );
++      msSetError(MS_OGRERR, 
++                "Open failed for OGR connection in layer `%s'.  "
++                "Check logs.", 
++                "msOGRFileOpen()",
++                layer->name?layer->name:"(null)" );
++      if( strlen(CPLGetLastErrorMsg()) != 0 )
++          msDebug("Open failed for OGR connection in layer `%s'.\n%s\n",
++                  layer->name?layer->name:"(null)", 
++                  CPLGetLastErrorMsg() );
+       CPLFree( pszDSName );
+       CPLFree( pszLayerDef );
+       return NULL;
+@@ -1154,10 +1151,13 @@ msOGRFileOpen(layerObj *layer, const cha
+     ACQUIRE_OGR_LOCK;
+     hLayer = OGR_DS_ExecuteSQL( hDS, pszLayerDef, NULL, NULL );
+     if( hLayer == NULL ) {
+-      msSetError(MS_OGRERR,
+-                 "ExecuteSQL(%s) failed.\n%s",
+-                 "msOGRFileOpen()",
+-                 pszLayerDef, CPLGetLastErrorMsg() );
++      msSetError(MS_OGRERR, 
++              "ExecuteSQL(%s) failed. Check logs",
++              "msOGRFileOpen()", 
++              pszLayerDef);
++      msDebug(
++              "ExecuteSQL(%s) failed.\n%s",
++              pszLayerDef, CPLGetLastErrorMsg() );
+       RELEASE_OGR_LOCK;
+       msConnPoolRelease( layer, hDS );
+       CPLFree( pszLayerDef );
+@@ -1189,9 +1189,11 @@ msOGRFileOpen(layerObj *layer, const cha
+   }
+ 
+   if (hLayer == NULL) {
+-    msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.",
+-               "msOGRFileOpen()",
+-               pszLayerDef, connection );
++    msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.",
++                "msOGRFileOpen()", 
++                pszLayerDef);
++    msDebug("GetLayer(%s) failed for OGR connection `%s'.",
++                pszLayerDef, connection );
+     CPLFree( pszLayerDef );
+     msConnPoolRelease( layer, hDS );
+     return NULL;
+@@ -1356,10 +1358,12 @@ static int msOGRFileWhichShapes(layerObj
+     if( OGR_L_SetAttributeFilter( psInfo->hLayer, layer->filter.string+6 )
+         != OGRERR_NONE ) {
+       msSetError(MS_OGRERR,
+-                 "SetAttributeFilter(%s) failed on layer %s.\n%s",
++                 "SetAttributeFilter(%s) failed on layer %s.", 
+                  "msOGRFileWhichShapes()",
+-                 layer->filter.string+6, layer->name?layer->name:"(null)",
+-                 CPLGetLastErrorMsg() );
++                 layer->filter.string+6, layer->name?layer->name:"(null)");
++      msDebug("SetAttributeFilter(%s) failed on layer %s.\n%s", 
++              layer->filter.string+6, layer->name?layer->name:"(null)", 
++              CPLGetLastErrorMsg() );
+       RELEASE_OGR_LOCK;
+       return MS_FAILURE;
+     }
+@@ -1562,8 +1566,8 @@ msOGRFileNextShape(layerObj *layer, shap
+     if( (hFeature = OGR_L_GetNextFeature( psInfo->hLayer )) == NULL ) {
+       psInfo->last_record_index_read = -1;
+       if( CPLGetLastErrorType() == CE_Failure ) {
+-        msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()",
+-                   CPLGetLastErrorMsg() );
++        msSetError(MS_OGRERR, "OGR error. check logs", "msOGRFileNextShape()");
++        msDebug("msOGRFileNextShape() error: %s", CPLGetLastErrorMsg() );
+         RELEASE_OGR_LOCK;
+         return MS_FAILURE;
+       } else {
+--- a/mappostgis.c
++++ b/mappostgis.c
+@@ -2305,7 +2305,8 @@ int msPostGISLayerOpen(layerObj *layer)
+         }
+       }
+ 
+-      msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata);
++      msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata);
++      msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()");
+ 
+       free(maskeddata);
+       free(layerinfo);
+@@ -2327,7 +2328,6 @@ int msPostGISLayerOpen(layerObj *layer)
+         msSetError(MS_QUERYERR, "PostgreSQL database connection gone bad (%s)", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn));
+         return MS_FAILURE;
+       }
+-
+     }
+   }
+ 
diff -Nru mapserver-6.4.1/debian/patches/series mapserver-6.4.1/debian/patches/series
--- mapserver-6.4.1/debian/patches/series	2014-07-05 17:32:59.000000000 +0200
+++ mapserver-6.4.1/debian/patches/series	2016-12-05 23:54:14.000000000 +0100
@@ -5,3 +5,4 @@
 cmake-mapserver-export.patch
 java-hardening.patch
 php56.patch
+0001-Backport-4928-and-5356.patch

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: