Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)

To: Sebastian Ramacher <sramacher@debian.org>, 988224@bugs.debian.org
Subject: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
Date: Tue, 25 May 2021 09:57:28 +0200
Message-id: <[🔎] fe487668-6c6d-b7bd-3df7-1d6175bff842@xs4all.nl>
Reply-to: Sebastiaan Couwenberg <sebastic@xs4all.nl>, 988224@bugs.debian.org
In-reply-to: <[🔎] YKyrNzuUjNdKinEi@ramacher.at>
References: <[🔎] 162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <[🔎] YJbj9YdZTx5+8DIJ@ramacher.at> <[🔎] 162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <[🔎] 0c6f1d5a-d28c-979d-9ae3-c24aab850058@xs4all.nl> <[🔎] YKyrNzuUjNdKinEi@ramacher.at> <[🔎] 162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl>

Control: tags -1 - moreinfo

On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
>>>> Package: release.debian.org
>>>> Severity: normal
>>>> User: release.debian.org@packages.debian.org
>>>> Usertags: unblock
>>>>
>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
>>>>
>>>> [ Reason ]
>>>> Fix security issue.
>>>>
>>>> [ Impact ]
>>>> Unfixed security issue.
>>>>
>>>> [ Tests ]
>>>> Upstream CI.
>>>>
>>>> [ Risks ]
>>>> Low, leaf package.
>>>>
>>>> [ Checklist ]
>>>>   [x] all changes are documented in the d/changelog
>>>>   [x] I reviewed all changes and I approve them
>>>>   [x] attach debdiff against the package in testing
>>>>
>>>> [ Other info ]
>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
>>>>
>>>> unblock mapserver/7.6.2-2
>>>
>>>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
>>>> --- mapserver-7.6.2/debian/changelog	2020-12-09 06:01:02.000000000 +0100
>>>> +++ mapserver-7.6.2/debian/changelog	2021-05-08 07:12:18.000000000 +0200
>>>> @@ -1,3 +1,12 @@
>>>> +mapserver (7.6.2-2) unstable; urgency=high
>>>> +
>>>> +  * Drop unused lintian overrides.
>>>> +  * Add upstream patches to fix CVE-2021-32062.
>>>> +    (closes: #988208)
>>>> +  * Update symbols file.
>>>> +
>>>> + -- Bas Couwenberg <sebastic@debian.org>  Sat, 08 May 2021 07:12:18 +0200
>>>> +
>>>>  mapserver (7.6.2-1) unstable; urgency=medium
>>>>  
>>>>    * Update symbols for other architectures.
>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides	2020-08-06 05:34:57.000000000 +0200
>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
>>>> @@ -1,3 +0,0 @@
>>>> -# Cannot easily be fixed
>>>> -file-references-package-build-path *
>>>> -
>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols	2020-12-09 06:00:39.000000000 +0100
>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols	2021-05-08 07:11:08.000000000 +0200
>>>> @@ -945,6 +945,7 @@
>>>>   msCSVJoinPrepare@Base 6.2.1
>>>>   msCairoCleanup@Base 6.2.1
>>>>   msCalculateScale@Base 6.2.1
>>>> + msCaseEvalRegex@Base 7.6.2
>>>>   msCaseReplaceSubstring@Base 6.2.1
>>>>   msCheckLabelMinDistance@Base 7.0.0
>>>>   msCheckParentPointer@Base 6.2.1
>>>> @@ -1418,6 +1419,7 @@
>>>>   msIsGlyphASpace@Base 7.2.0
>>>>   msIsLayerQueryable@Base 6.2.1
>>>>   msIsOuterRing@Base 6.2.1
>>>> + msIsValidRegex@Base 7.6.2
>>>
>>> This version is not high enough. The symbols need to be marked as
>>> requiring 7.6.2-2~
>>
>> There are no rdeps of mapserver in Debian, so no users of the symbols file.
> 
> It's technically wrong. If you introduce symbols with a patch, the
> symbols need to be properly versioned. After all, there is a user of the
> symbols file and that is mapserver itself. If you have to introduce
> calls to those two symbols outside of libmapserver in the next patch,
> the dependency on libmapserver is wrong.

libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).

None of the other binary packages require symbols introduced after 7.0.5.

All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.

While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.

>>> Please remove the moreinfo tag once that fixed version is available in
>>> unstable.
>>
>> mapserver (7.6.2-2) has been uploaded to unstable without further
>> changes to the symbols file.
> 
> Again, please remove the moreinfo tag only once a fixed version is
> available in unstable.

There is no need for further changes in unstable.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply to:

Follow-Ups:
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Bas Couwenberg <sebastic@xs4all.nl>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastian Ramacher <sramacher@debian.org>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastian Ramacher <sramacher@debian.org>

Prev by Date: Processed: Re: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Next by Date: Processed: Re: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Previous by thread: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Next by thread: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Index(es):
- Date
- Thread