[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)

On 2021-05-31 05:38:15 +0200, Sebastiaan Couwenberg wrote:
> On 5/30/21 9:12 PM, Salvatore Bonaccorso wrote:
> > Sebastiaan, Sebastian,
> > 
> > On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote:
> >> Control: tags -1 - moreinfo
> >>
> >> On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
> >>> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
> >>>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
> >>>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
> >>>>>> Package: release.debian.org
> >>>>>> Severity: normal
> >>>>>> User: release.debian.org@packages.debian.org
> >>>>>> Usertags: unblock
> >>>>>>
> >>>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
> >>>>>>
> >>>>>> [ Reason ]
> >>>>>> Fix security issue.
> >>>>>>
> >>>>>> [ Impact ]
> >>>>>> Unfixed security issue.
> >>>>>>
> >>>>>> [ Tests ]
> >>>>>> Upstream CI.
> >>>>>>
> >>>>>> [ Risks ]
> >>>>>> Low, leaf package.
> >>>>>>
> >>>>>> [ Checklist ]
> >>>>>>   [x] all changes are documented in the d/changelog
> >>>>>>   [x] I reviewed all changes and I approve them
> >>>>>>   [x] attach debdiff against the package in testing
> >>>>>>
> >>>>>> [ Other info ]
> >>>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
> >>>>>>
> >>>>>> unblock mapserver/7.6.2-2
> >>>>>
> >>>>>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
> >>>>>> --- mapserver-7.6.2/debian/changelog	2020-12-09 06:01:02.000000000 +0100
> >>>>>> +++ mapserver-7.6.2/debian/changelog	2021-05-08 07:12:18.000000000 +0200
> >>>>>> @@ -1,3 +1,12 @@
> >>>>>> +mapserver (7.6.2-2) unstable; urgency=high
> >>>>>> +
> >>>>>> +  * Drop unused lintian overrides.
> >>>>>> +  * Add upstream patches to fix CVE-2021-32062.
> >>>>>> +    (closes: #988208)
> >>>>>> +  * Update symbols file.
> >>>>>> +
> >>>>>> + -- Bas Couwenberg <sebastic@debian.org>  Sat, 08 May 2021 07:12:18 +0200
> >>>>>> +
> >>>>>>  mapserver (7.6.2-1) unstable; urgency=medium
> >>>>>>  
> >>>>>>    * Update symbols for other architectures.
> >>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
> >>>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides	2020-08-06 05:34:57.000000000 +0200
> >>>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
> >>>>>> @@ -1,3 +0,0 @@
> >>>>>> -# Cannot easily be fixed
> >>>>>> -file-references-package-build-path *
> >>>>>> -
> >>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
> >>>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols	2020-12-09 06:00:39.000000000 +0100
> >>>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols	2021-05-08 07:11:08.000000000 +0200
> >>>>>> @@ -945,6 +945,7 @@
> >>>>>>   msCSVJoinPrepare@Base 6.2.1
> >>>>>>   msCairoCleanup@Base 6.2.1
> >>>>>>   msCalculateScale@Base 6.2.1
> >>>>>> + msCaseEvalRegex@Base 7.6.2
> >>>>>>   msCaseReplaceSubstring@Base 6.2.1
> >>>>>>   msCheckLabelMinDistance@Base 7.0.0
> >>>>>>   msCheckParentPointer@Base 6.2.1
> >>>>>> @@ -1418,6 +1419,7 @@
> >>>>>>   msIsGlyphASpace@Base 7.2.0
> >>>>>>   msIsLayerQueryable@Base 6.2.1
> >>>>>>   msIsOuterRing@Base 6.2.1
> >>>>>> + msIsValidRegex@Base 7.6.2
> >>>>>
> >>>>> This version is not high enough. The symbols need to be marked as
> >>>>> requiring 7.6.2-2~
> >>>>
> >>>> There are no rdeps of mapserver in Debian, so no users of the symbols file.
> >>>
> >>> It's technically wrong. If you introduce symbols with a patch, the
> >>> symbols need to be properly versioned. After all, there is a user of the
> >>> symbols file and that is mapserver itself. If you have to introduce
> >>> calls to those two symbols outside of libmapserver in the next patch,
> >>> the dependency on libmapserver is wrong.
> >>
> >> libmapserver-dev already depends on libmapserver2 with (=
> >> ${binary:Version}).
> >>
> >> None of the other binary packages require symbols introduced after 7.0.5.
> >>
> >> All the code using msCaseEvalRegex & msIsValidRegex is within
> >> libmapserver itself.
> >>
> >> While strictly speaking the version in the symbols file should include
> >> the revision, its not required in this case because nothing outside
> >> libmapserver uses it.
> >>
> >>>>> Please remove the moreinfo tag once that fixed version is available in
> >>>>> unstable.
> >>>>
> >>>> mapserver (7.6.2-2) has been uploaded to unstable without further
> >>>> changes to the symbols file.
> >>>
> >>> Again, please remove the moreinfo tag only once a fixed version is
> >>> available in unstable.
> >>
> >> There is no need for further changes in unstable.
> > 
> > Sebastian (the release team member), is there anything from the above
> > which you still want the maintainer to be adressed? Sebastiaan, my
> > unerstanding is that Sebastian wuld like to see the above changes done
> > for mapserver to be unblocked.
> 
> That's my understanding too, but the additional information provided
> should make clear that those changes are not required.

I think I said it twice (from #988224#24):
> > > Please remove the moreinfo tag once that fixed version is available in
> > > unstable.
> > 
> > mapserver (7.6.2-2) has been uploaded to unstable without further
> > changes to the symbols file.
> 
> Again, please remove the moreinfo tag only once a fixed version is
> available in unstable.

I want these symbols fixed.

Cheers
-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

Reply to: