[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)

Sebastiaan, Sebastian,

On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote:
> Control: tags -1 - moreinfo
> 
> On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
> > On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
> >> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
> >>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
> >>>> Package: release.debian.org
> >>>> Severity: normal
> >>>> User: release.debian.org@packages.debian.org
> >>>> Usertags: unblock
> >>>>
> >>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
> >>>>
> >>>> [ Reason ]
> >>>> Fix security issue.
> >>>>
> >>>> [ Impact ]
> >>>> Unfixed security issue.
> >>>>
> >>>> [ Tests ]
> >>>> Upstream CI.
> >>>>
> >>>> [ Risks ]
> >>>> Low, leaf package.
> >>>>
> >>>> [ Checklist ]
> >>>>   [x] all changes are documented in the d/changelog
> >>>>   [x] I reviewed all changes and I approve them
> >>>>   [x] attach debdiff against the package in testing
> >>>>
> >>>> [ Other info ]
> >>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
> >>>>
> >>>> unblock mapserver/7.6.2-2
> >>>
> >>>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
> >>>> --- mapserver-7.6.2/debian/changelog	2020-12-09 06:01:02.000000000 +0100
> >>>> +++ mapserver-7.6.2/debian/changelog	2021-05-08 07:12:18.000000000 +0200
> >>>> @@ -1,3 +1,12 @@
> >>>> +mapserver (7.6.2-2) unstable; urgency=high
> >>>> +
> >>>> +  * Drop unused lintian overrides.
> >>>> +  * Add upstream patches to fix CVE-2021-32062.
> >>>> +    (closes: #988208)
> >>>> +  * Update symbols file.
> >>>> +
> >>>> + -- Bas Couwenberg <sebastic@debian.org>  Sat, 08 May 2021 07:12:18 +0200
> >>>> +
> >>>>  mapserver (7.6.2-1) unstable; urgency=medium
> >>>>  
> >>>>    * Update symbols for other architectures.
> >>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
> >>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides	2020-08-06 05:34:57.000000000 +0200
> >>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
> >>>> @@ -1,3 +0,0 @@
> >>>> -# Cannot easily be fixed
> >>>> -file-references-package-build-path *
> >>>> -
> >>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
> >>>> --- mapserver-7.6.2/debian/libmapserver2.symbols	2020-12-09 06:00:39.000000000 +0100
> >>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols	2021-05-08 07:11:08.000000000 +0200
> >>>> @@ -945,6 +945,7 @@
> >>>>   msCSVJoinPrepare@Base 6.2.1
> >>>>   msCairoCleanup@Base 6.2.1
> >>>>   msCalculateScale@Base 6.2.1
> >>>> + msCaseEvalRegex@Base 7.6.2
> >>>>   msCaseReplaceSubstring@Base 6.2.1
> >>>>   msCheckLabelMinDistance@Base 7.0.0
> >>>>   msCheckParentPointer@Base 6.2.1
> >>>> @@ -1418,6 +1419,7 @@
> >>>>   msIsGlyphASpace@Base 7.2.0
> >>>>   msIsLayerQueryable@Base 6.2.1
> >>>>   msIsOuterRing@Base 6.2.1
> >>>> + msIsValidRegex@Base 7.6.2
> >>>
> >>> This version is not high enough. The symbols need to be marked as
> >>> requiring 7.6.2-2~
> >>
> >> There are no rdeps of mapserver in Debian, so no users of the symbols file.
> > 
> > It's technically wrong. If you introduce symbols with a patch, the
> > symbols need to be properly versioned. After all, there is a user of the
> > symbols file and that is mapserver itself. If you have to introduce
> > calls to those two symbols outside of libmapserver in the next patch,
> > the dependency on libmapserver is wrong.
> 
> libmapserver-dev already depends on libmapserver2 with (=
> ${binary:Version}).
> 
> None of the other binary packages require symbols introduced after 7.0.5.
> 
> All the code using msCaseEvalRegex & msIsValidRegex is within
> libmapserver itself.
> 
> While strictly speaking the version in the symbols file should include
> the revision, its not required in this case because nothing outside
> libmapserver uses it.
> 
> >>> Please remove the moreinfo tag once that fixed version is available in
> >>> unstable.
> >>
> >> mapserver (7.6.2-2) has been uploaded to unstable without further
> >> changes to the symbols file.
> > 
> > Again, please remove the moreinfo tag only once a fixed version is
> > available in unstable.
> 
> There is no need for further changes in unstable.

Sebastian (the release team member), is there anything from the above
which you still want the maintainer to be adressed? Sebastiaan, my
unerstanding is that Sebastian wuld like to see the above changes done
for mapserver to be unblocked.

Regards,
Salvatore
Reply to: