[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)

On 5/30/21 9:12 PM, Salvatore Bonaccorso wrote:
> Sebastiaan, Sebastian,
> 
> On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote:
>> Control: tags -1 - moreinfo
>>
>> On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
>>> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
>>>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
>>>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
>>>>>> Package: release.debian.org
>>>>>> Severity: normal
>>>>>> User: release.debian.org@packages.debian.org
>>>>>> Usertags: unblock
>>>>>>
>>>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
>>>>>>
>>>>>> [ Reason ]
>>>>>> Fix security issue.
>>>>>>
>>>>>> [ Impact ]
>>>>>> Unfixed security issue.
>>>>>>
>>>>>> [ Tests ]
>>>>>> Upstream CI.
>>>>>>
>>>>>> [ Risks ]
>>>>>> Low, leaf package.
>>>>>>
>>>>>> [ Checklist ]
>>>>>>   [x] all changes are documented in the d/changelog
>>>>>>   [x] I reviewed all changes and I approve them
>>>>>>   [x] attach debdiff against the package in testing
>>>>>>
>>>>>> [ Other info ]
>>>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
>>>>>>
>>>>>> unblock mapserver/7.6.2-2
>>>>>
>>>>>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
>>>>>> --- mapserver-7.6.2/debian/changelog	2020-12-09 06:01:02.000000000 +0100
>>>>>> +++ mapserver-7.6.2/debian/changelog	2021-05-08 07:12:18.000000000 +0200
>>>>>> @@ -1,3 +1,12 @@
>>>>>> +mapserver (7.6.2-2) unstable; urgency=high
>>>>>> +
>>>>>> +  * Drop unused lintian overrides.
>>>>>> +  * Add upstream patches to fix CVE-2021-32062.
>>>>>> +    (closes: #988208)
>>>>>> +  * Update symbols file.
>>>>>> +
>>>>>> + -- Bas Couwenberg <sebastic@debian.org>  Sat, 08 May 2021 07:12:18 +0200
>>>>>> +
>>>>>>  mapserver (7.6.2-1) unstable; urgency=medium
>>>>>>  
>>>>>>    * Update symbols for other architectures.
>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
>>>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides	2020-08-06 05:34:57.000000000 +0200
>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
>>>>>> @@ -1,3 +0,0 @@
>>>>>> -# Cannot easily be fixed
>>>>>> -file-references-package-build-path *
>>>>>> -
>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
>>>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols	2020-12-09 06:00:39.000000000 +0100
>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols	2021-05-08 07:11:08.000000000 +0200
>>>>>> @@ -945,6 +945,7 @@
>>>>>>   msCSVJoinPrepare@Base 6.2.1
>>>>>>   msCairoCleanup@Base 6.2.1
>>>>>>   msCalculateScale@Base 6.2.1
>>>>>> + msCaseEvalRegex@Base 7.6.2
>>>>>>   msCaseReplaceSubstring@Base 6.2.1
>>>>>>   msCheckLabelMinDistance@Base 7.0.0
>>>>>>   msCheckParentPointer@Base 6.2.1
>>>>>> @@ -1418,6 +1419,7 @@
>>>>>>   msIsGlyphASpace@Base 7.2.0
>>>>>>   msIsLayerQueryable@Base 6.2.1
>>>>>>   msIsOuterRing@Base 6.2.1
>>>>>> + msIsValidRegex@Base 7.6.2
>>>>>
>>>>> This version is not high enough. The symbols need to be marked as
>>>>> requiring 7.6.2-2~
>>>>
>>>> There are no rdeps of mapserver in Debian, so no users of the symbols file.
>>>
>>> It's technically wrong. If you introduce symbols with a patch, the
>>> symbols need to be properly versioned. After all, there is a user of the
>>> symbols file and that is mapserver itself. If you have to introduce
>>> calls to those two symbols outside of libmapserver in the next patch,
>>> the dependency on libmapserver is wrong.
>>
>> libmapserver-dev already depends on libmapserver2 with (=
>> ${binary:Version}).
>>
>> None of the other binary packages require symbols introduced after 7.0.5.
>>
>> All the code using msCaseEvalRegex & msIsValidRegex is within
>> libmapserver itself.
>>
>> While strictly speaking the version in the symbols file should include
>> the revision, its not required in this case because nothing outside
>> libmapserver uses it.
>>
>>>>> Please remove the moreinfo tag once that fixed version is available in
>>>>> unstable.
>>>>
>>>> mapserver (7.6.2-2) has been uploaded to unstable without further
>>>> changes to the symbols file.
>>>
>>> Again, please remove the moreinfo tag only once a fixed version is
>>> available in unstable.
>>
>> There is no need for further changes in unstable.
> 
> Sebastian (the release team member), is there anything from the above
> which you still want the maintainer to be adressed? Sebastiaan, my
> unerstanding is that Sebastian wuld like to see the above changes done
> for mapserver to be unblocked.

That's my understanding too, but the additional information provided
should make clear that those changes are not required.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
Reply to: