Your message dated Tue, 27 Jul 2021 16:31:27 +0200 with message-id <d99d4cb8-cde6-1f20-502d-888e483aba67@debian.org> and subject line Re: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval) has caused the Debian Bug report #988224, regarding unblock: mapserver/7.6.2-2 (pre-approval) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: mapserver/7.6.2-2 (pre-approval)
- From: Bas Couwenberg <sebastic@xs4all.nl>
- Date: Sat, 08 May 2021 07:29:01 +0200
- Message-id: <162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208. [ Reason ] Fix security issue. [ Impact ] Unfixed security issue. [ Tests ] Upstream CI. [ Risks ] Low, leaf package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch. unblock mapserver/7.6.2-2diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100 +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200 @@ -1,3 +1,12 @@ +mapserver (7.6.2-2) unstable; urgency=high + + * Drop unused lintian overrides. + * Add upstream patches to fix CVE-2021-32062. + (closes: #988208) + * Update symbols file. + + -- Bas Couwenberg <sebastic@debian.org> Sat, 08 May 2021 07:12:18 +0200 + mapserver (7.6.2-1) unstable; urgency=medium * Update symbols for other architectures. diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200 +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -# Cannot easily be fixed -file-references-package-build-path * - diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100 +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200 @@ -945,6 +945,7 @@ msCSVJoinPrepare@Base 6.2.1 msCairoCleanup@Base 6.2.1 msCalculateScale@Base 6.2.1 + msCaseEvalRegex@Base 7.6.2 msCaseReplaceSubstring@Base 6.2.1 msCheckLabelMinDistance@Base 7.0.0 msCheckParentPointer@Base 6.2.1 @@ -1418,6 +1419,7 @@ msIsGlyphASpace@Base 7.2.0 msIsLayerQueryable@Base 6.2.1 msIsOuterRing@Base 6.2.1 + msIsValidRegex@Base 7.6.2 msIsXMLTagValid@Base 6.2.1 msItemInGroups@Base 6.2.1 msJoinClose@Base 6.2.1 diff -Nru mapserver-7.6.2/debian/mapserver-bin.lintian-overrides mapserver-7.6.2/debian/mapserver-bin.lintian-overrides --- mapserver-7.6.2/debian/mapserver-bin.lintian-overrides 2020-08-06 05:34:57.000000000 +0200 +++ mapserver-7.6.2/debian/mapserver-bin.lintian-overrides 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -# Cannot easily be fixed -file-references-package-build-path * - diff -Nru mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch --- mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch 2021-05-08 07:10:49.000000000 +0200 @@ -0,0 +1,161 @@ +Description: Address flaw in CGI mapfile loading that makes it possible to bypass security controls. +Author: Even Rouault <even.rouault@spatialys.com> +Origin: https://github.com/MapServer/MapServer/commit/927ac97cb9ece305306b5ab2b5600d3afe8c1732 +Bug: https://github.com/MapServer/MapServer/issues/6313 +Bug-Debian: https://bugs.debian.org/988208 + +--- a/mapfile.c ++++ b/mapfile.c +@@ -97,6 +97,16 @@ int msValidateParameter(const char *valu + return(MS_FAILURE); + } + ++int msIsValidRegex(const char* e) { ++ ms_regex_t re; ++ if(ms_regcomp(&re, e, MS_REG_EXTENDED|MS_REG_NOSUB) != 0) { ++ msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e); ++ return(MS_FALSE); ++ } ++ ms_regfree(&re); ++ return MS_TRUE; ++} ++ + int msEvalRegex(const char *e, const char *s) + { + ms_regex_t re; +@@ -107,6 +117,26 @@ int msEvalRegex(const char *e, const cha + msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e); + return(MS_FALSE); + } ++ ++ if(ms_regexec(&re, s, 0, NULL, 0) != 0) { /* no match */ ++ ms_regfree(&re); ++ return(MS_FALSE); ++ } ++ ms_regfree(&re); ++ ++ return(MS_TRUE); ++} ++ ++int msCaseEvalRegex(const char *e, const char *s) ++{ ++ ms_regex_t re; ++ ++ if(!e || !s) return(MS_FALSE); ++ ++ if(ms_regcomp(&re, e, MS_REG_EXTENDED|MS_REG_ICASE|MS_REG_NOSUB) != 0) { ++ msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e); ++ return(MS_FALSE); ++ } + + if(ms_regexec(&re, s, 0, NULL, 0) != 0) { /* no match */ + ms_regfree(&re); +--- a/mapserv.c ++++ b/mapserv.c +@@ -166,7 +166,8 @@ int main(int argc, char *argv[]) + + /* push high-value ENV vars into the CPL global config - primarily for IIS/FastCGI */ + const char* const apszEnvVars[] = { +- "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN", ++ "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN", "MS_MAP_ENV_PATTERN", ++ "MS_MAP_BAD_PATTERN", "MS_MAP_ENV_BAD_PATTERN", + NULL /* guard */ }; + for( int i = 0; apszEnvVars[i] != NULL; ++i ) { + const char* value = getenv(apszEnvVars[i]); +--- a/mapserver.h ++++ b/mapserver.h +@@ -2159,7 +2159,9 @@ void msPopulateTextSymbolForLabelAndStri + MS_DLL_EXPORT char *msWriteReferenceMapToString(referenceMapObj *ref); + MS_DLL_EXPORT char *msWriteLegendToString(legendObj *legend); + MS_DLL_EXPORT char *msWriteClusterToString(clusterObj *cluster); ++ MS_DLL_EXPORT int msIsValidRegex(const char* e); + MS_DLL_EXPORT int msEvalRegex(const char *e, const char *s); ++ MS_DLL_EXPORT int msCaseEvalRegex(const char *e, const char *s); + #ifdef USE_MSFREE + MS_DLL_EXPORT void msFree(void *p); + #else +--- a/mapservutil.c ++++ b/mapservutil.c +@@ -199,41 +199,67 @@ mapObj *msCGILoadMap(mapservObj *mapserv + int i, j; + mapObj *map = NULL; + ++ const char *ms_map_bad_pattern_default = "[/\\]{2}|[/\\]?\\.+[/\\]|,"; ++ const char *ms_map_env_bad_pattern_default = "^(AUTH_.*|CERT_.*|CONTENT_(LENGTH|TYPE)|DOCUMENT_(ROOT|URI)|GATEWAY_INTERFACE|HTTP.*|QUERY_STRING|PATH_(INFO|TRANSLATED)|REMOTE_.*|REQUEST_(METHOD|URI)|SCRIPT_(FILENAME|NAME)|SERVER_.*)"; ++ ++ int ms_mapfile_tainted = MS_TRUE; + const char *ms_mapfile = CPLGetConfigOption("MS_MAPFILE", NULL); ++ + const char *ms_map_no_path = CPLGetConfigOption("MS_MAP_NO_PATH", NULL); + const char *ms_map_pattern = CPLGetConfigOption("MS_MAP_PATTERN", NULL); ++ const char *ms_map_env_pattern = CPLGetConfigOption("MS_MAP_ENV_PATTERN", NULL); ++ ++ const char *ms_map_bad_pattern = CPLGetConfigOption("MS_MAP_BAD_PATTERN", NULL); ++ if(ms_map_bad_pattern == NULL) ms_map_bad_pattern = ms_map_bad_pattern_default; ++ ++ const char *ms_map_env_bad_pattern = CPLGetConfigOption("MS_MAP_ENV_BAD_PATTERN", NULL); ++ if(ms_map_env_bad_pattern == NULL) ms_map_env_bad_pattern = ms_map_env_bad_pattern_default; + + for(i=0; i<mapserv->request->NumParams; i++) /* find the mapfile parameter first */ + if(strcasecmp(mapserv->request->ParamNames[i], "map") == 0) break; + + if(i == mapserv->request->NumParams) { +- if(ms_mapfile != NULL) { +- map = msLoadMap(ms_mapfile,NULL); +- } else { ++ if(ms_mapfile == NULL) { + msSetError(MS_WEBERR, "CGI variable \"map\" is not set.", "msCGILoadMap()"); /* no default, outta here */ + return NULL; + } ++ ms_mapfile_tainted = MS_FALSE; + } else { +- if(getenv(mapserv->request->ParamValues[i])) /* an environment variable references the actual file to use */ +- map = msLoadMap(getenv(mapserv->request->ParamValues[i]), NULL); +- else { +- /* by here we know the request isn't for something in an environment variable */ +- if(ms_map_no_path != NULL) { +- msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "msCGILoadMap()"); ++ if(getenv(mapserv->request->ParamValues[i])) { /* an environment variable references the actual file to use */ ++ /* validate env variable name */ ++ if(msIsValidRegex(ms_map_env_bad_pattern) == MS_FALSE || msCaseEvalRegex(ms_map_env_bad_pattern, mapserv->request->ParamValues[i]) == MS_TRUE) { ++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()"); + return NULL; + } +- +- if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) { +- msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "msCGILoadMap()"); ++ if(ms_map_env_pattern != NULL && msEvalRegex(ms_map_env_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) { ++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()"); ++ return NULL; ++ } ++ ms_mapfile = getenv(mapserv->request->ParamValues[i]); ++ } else { ++ /* by now we know the request isn't for something in an environment variable */ ++ if(ms_map_no_path != NULL) { ++ msSetError(MS_WEBERR, "CGI variable \"map\" not found in environment and this server is not configured for full paths.", "msCGILoadMap()"); + return NULL; + } ++ ms_mapfile = mapserv->request->ParamValues[i]; ++ } ++ } + +- /* ok to try to load now */ +- map = msLoadMap(mapserv->request->ParamValues[i], NULL); ++ /* validate ms_mapfile if tainted */ ++ if(ms_mapfile_tainted == MS_TRUE) { ++ if(msIsValidRegex(ms_map_bad_pattern) == MS_FALSE || msEvalRegex(ms_map_bad_pattern, ms_mapfile) == MS_TRUE) { ++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()"); ++ return NULL; ++ } ++ if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, ms_mapfile) != MS_TRUE) { ++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()"); ++ return NULL; + } + } +- + ++ /* ok to try to load now */ ++ map = msLoadMap(ms_mapfile, NULL); + if(!map) return NULL; + + if(!msLookupHashTable(&(map->web.validation), "immutable")) { diff -Nru mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch --- mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch 2021-05-08 07:10:49.000000000 +0200 @@ -0,0 +1,107 @@ +Description: Use CPLSetConfigOption/CPLGetConfigOption for some CGI/FastCGI-related env vars. + Push a few high-value env vars into CPL config and then reference that instead of the env (mostly for IIS/FastCGI). +Author: Steve Lime <steve.lime@state.mn.us> +Origin: https://github.com/MapServer/MapServer/commit/b128dace3ec3e61bf063f7285d1279e9f9fd9e28 +Bug: https://github.com/MapServer/MapServer/pull/6304 + +--- a/maphttp.c ++++ b/maphttp.c +@@ -39,7 +39,7 @@ + #include "mapthread.h" + #include "mapows.h" + +- ++#include "cpl_conv.h" + + #include <time.h> + #ifndef _WIN32 +@@ -471,7 +471,7 @@ int msHTTPExecuteRequests(httpRequestObj + * If set then the value is the full path to the ca-bundle.crt file + * e.g. CURL_CA_BUNDLE=/usr/local/share/curl/curl-ca-bundle.crt + */ +- pszCurlCABundle = getenv("CURL_CA_BUNDLE"); ++ pszCurlCABundle = CPLGetConfigOption("CURL_CA_BUNDLE", NULL); + + if (debug) { + msDebug("HTTP: Starting to prepare HTTP requests.\n"); +--- a/mapserv.c ++++ b/mapserv.c +@@ -43,6 +43,8 @@ + #include "mapio.h" + #include "maptime.h" + ++#include "cpl_conv.h" ++ + #ifndef WIN32 + #include <signal.h> + #endif +@@ -162,6 +164,15 @@ int main(int argc, char *argv[]) + if(msGetGlobalDebugLevel() >= MS_DEBUGLEVEL_TUNING) + msGettimeofday(&execstarttime, NULL); + ++ /* push high-value ENV vars into the CPL global config - primarily for IIS/FastCGI */ ++ const char* const apszEnvVars[] = { ++ "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN", ++ NULL /* guard */ }; ++ for( int i = 0; apszEnvVars[i] != NULL; ++i ) { ++ const char* value = getenv(apszEnvVars[i]); ++ if(value) CPLSetConfigOption(apszEnvVars[i], value); ++ } ++ + /* -------------------------------------------------------------------- */ + /* Process arguments. In normal use as a cgi-bin there are no */ + /* commandline switches, but we provide a few for test/debug */ +--- a/mapserv.h ++++ b/mapserv.h +@@ -41,6 +41,7 @@ + #include "maptile.h" + + #include "cgiutil.h" ++ + /* + ** Defines + */ +--- a/mapservutil.c ++++ b/mapservutil.c +@@ -33,6 +33,8 @@ + #include "maptime.h" + #include "mapows.h" + ++#include "cpl_conv.h" ++ + /* + ** Enumerated types, keep the query modes in sequence and at the end of the enumeration (mode enumeration is in maptemplate.h). + */ +@@ -197,12 +199,15 @@ mapObj *msCGILoadMap(mapservObj *mapserv + int i, j; + mapObj *map = NULL; + ++ const char *ms_mapfile = CPLGetConfigOption("MS_MAPFILE", NULL); ++ const char *ms_map_no_path = CPLGetConfigOption("MS_MAP_NO_PATH", NULL); ++ const char *ms_map_pattern = CPLGetConfigOption("MS_MAP_PATTERN", NULL); ++ + for(i=0; i<mapserv->request->NumParams; i++) /* find the mapfile parameter first */ + if(strcasecmp(mapserv->request->ParamNames[i], "map") == 0) break; + + if(i == mapserv->request->NumParams) { +- char *ms_mapfile = getenv("MS_MAPFILE"); +- if(ms_mapfile) { ++ if(ms_mapfile != NULL) { + map = msLoadMap(ms_mapfile,NULL); + } else { + msSetError(MS_WEBERR, "CGI variable \"map\" is not set.", "msCGILoadMap()"); /* no default, outta here */ +@@ -213,12 +218,12 @@ mapObj *msCGILoadMap(mapservObj *mapserv + map = msLoadMap(getenv(mapserv->request->ParamValues[i]), NULL); + else { + /* by here we know the request isn't for something in an environment variable */ +- if(getenv("MS_MAP_NO_PATH")) { ++ if(ms_map_no_path != NULL) { + msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "msCGILoadMap()"); + return NULL; + } + +- if(getenv("MS_MAP_PATTERN") && msEvalRegex(getenv("MS_MAP_PATTERN"), mapserv->request->ParamValues[i]) != MS_TRUE) { ++ if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) { + msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "msCGILoadMap()"); + return NULL; + } diff -Nru mapserver-7.6.2/debian/patches/series mapserver-7.6.2/debian/patches/series --- mapserver-7.6.2/debian/patches/series 2020-12-08 05:49:56.000000000 +0100 +++ mapserver-7.6.2/debian/patches/series 2021-05-08 07:10:49.000000000 +0200 @@ -1,3 +1,5 @@ perl-mapscript-install.patch java-hardening.patch interpreter-path.path +0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch +0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch
--- End Message ---
--- Begin Message ---
- To: Sebastiaan Couwenberg <sebastic@xs4all.nl>, 988224-done@bugs.debian.org
- Cc: Salvatore Bonaccorso <carnil@debian.org>
- Subject: Re: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
- From: Paul Gevers <elbrus@debian.org>
- Date: Tue, 27 Jul 2021 16:31:27 +0200
- Message-id: <d99d4cb8-cde6-1f20-502d-888e483aba67@debian.org>
- In-reply-to: <0df3c3b4-cc2a-5e67-42bd-af9878e25f88@xs4all.nl>
- References: <162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <0c6f1d5a-d28c-979d-9ae3-c24aab850058@xs4all.nl> <YKyrNzuUjNdKinEi@ramacher.at> <162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <fe487668-6c6d-b7bd-3df7-1d6175bff842@xs4all.nl> <YLPjn5hQ6GDR2kX9@eldamar.lan> <566df733-5d5c-df48-8598-46aafa63b201@xs4all.nl> <YLR9O0bvyYCb/jQf@ramacher.at> <162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <054fda73-fb5b-65f3-39f2-595e8b670ee5@xs4all.nl> <YLSBxXy/chSUetJ6@ramacher.at> <162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <0df3c3b4-cc2a-5e67-42bd-af9878e25f88@xs4all.nl>
Hi On 31-05-2021 08:57, Sebastiaan Couwenberg wrote: > I regret the time spent on this (minor) security issue to not have it > affect the upcoming stable release. In retrospect I shouldn't have > bothered for a no-dsa issue. I feel sorry that this bug report went as it went, but as we're now getting very close to the release date, I'm closing unblock bugs without action in a long time. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---