Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)

To: Sebastiaan Couwenberg <sebastic@xs4all.nl>, 988224@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
From: Sebastian Ramacher <sramacher@debian.org>
Date: Mon, 31 May 2021 08:27:17 +0200
Message-id: <YLSBxXy/chSUetJ6@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 988224@bugs.debian.org
In-reply-to: <[🔎] 054fda73-fb5b-65f3-39f2-595e8b670ee5@xs4all.nl>
References: <[🔎] 162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <[🔎] 0c6f1d5a-d28c-979d-9ae3-c24aab850058@xs4all.nl> <[🔎] YKyrNzuUjNdKinEi@ramacher.at> <[🔎] 162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <[🔎] fe487668-6c6d-b7bd-3df7-1d6175bff842@xs4all.nl> <[🔎] YLPjn5hQ6GDR2kX9@eldamar.lan> <[🔎] 566df733-5d5c-df48-8598-46aafa63b201@xs4all.nl> <YLR9O0bvyYCb/jQf@ramacher.at> <[🔎] 162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl> <[🔎] 054fda73-fb5b-65f3-39f2-595e8b670ee5@xs4all.nl> <[🔎] 162045174136.346650.10657365912070241495.reportbug@osiris.linuxminded.xs4all.nl>

On 2021-05-31 08:17:25 +0200, Sebastiaan Couwenberg wrote:
> On 5/31/21 8:07 AM, Sebastian Ramacher wrote:
> > On 2021-05-31 05:38:15 +0200, Sebastiaan Couwenberg wrote:
> >> On 5/30/21 9:12 PM, Salvatore Bonaccorso wrote:
> >>> Sebastiaan, Sebastian,
> >>>
> >>> On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote:
> >>>> Control: tags -1 - moreinfo
> >>>>
> >>>> On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
> >>>>> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
> >>>>>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
> >>>>>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
> >>>>>>>> Package: release.debian.org
> >>>>>>>> Severity: normal
> >>>>>>>> User: release.debian.org@packages.debian.org
> >>>>>>>> Usertags: unblock
> >>>>>>>>
> >>>>>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
> >>>>>>>>
> >>>>>>>> [ Reason ]
> >>>>>>>> Fix security issue.
> >>>>>>>>
> >>>>>>>> [ Impact ]
> >>>>>>>> Unfixed security issue.
> >>>>>>>>
> >>>>>>>> [ Tests ]
> >>>>>>>> Upstream CI.
> >>>>>>>>
> >>>>>>>> [ Risks ]
> >>>>>>>> Low, leaf package.
> >>>>>>>>
> >>>>>>>> [ Checklist ]
> >>>>>>>>   [x] all changes are documented in the d/changelog
> >>>>>>>>   [x] I reviewed all changes and I approve them
> >>>>>>>>   [x] attach debdiff against the package in testing
> >>>>>>>>
> >>>>>>>> [ Other info ]
> >>>>>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
> >>>>>>>>
> >>>>>>>> unblock mapserver/7.6.2-2
> >>>>>>>
> >>>>>>>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
> >>>>>>>> --- mapserver-7.6.2/debian/changelog	2020-12-09 06:01:02.000000000 +0100
> >>>>>>>> +++ mapserver-7.6.2/debian/changelog	2021-05-08 07:12:18.000000000 +0200
> >>>>>>>> @@ -1,3 +1,12 @@
> >>>>>>>> +mapserver (7.6.2-2) unstable; urgency=high
> >>>>>>>> +
> >>>>>>>> +  * Drop unused lintian overrides.
> >>>>>>>> +  * Add upstream patches to fix CVE-2021-32062.
> >>>>>>>> +    (closes: #988208)
> >>>>>>>> +  * Update symbols file.
> >>>>>>>> +
> >>>>>>>> + -- Bas Couwenberg <sebastic@debian.org>  Sat, 08 May 2021 07:12:18 +0200
> >>>>>>>> +
> >>>>>>>>  mapserver (7.6.2-1) unstable; urgency=medium
> >>>>>>>>  
> >>>>>>>>    * Update symbols for other architectures.
> >>>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
> >>>>>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides	2020-08-06 05:34:57.000000000 +0200
> >>>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
> >>>>>>>> @@ -1,3 +0,0 @@
> >>>>>>>> -# Cannot easily be fixed
> >>>>>>>> -file-references-package-build-path *
> >>>>>>>> -
> >>>>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
> >>>>>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols	2020-12-09 06:00:39.000000000 +0100
> >>>>>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols	2021-05-08 07:11:08.000000000 +0200
> >>>>>>>> @@ -945,6 +945,7 @@
> >>>>>>>>   msCSVJoinPrepare@Base 6.2.1
> >>>>>>>>   msCairoCleanup@Base 6.2.1
> >>>>>>>>   msCalculateScale@Base 6.2.1
> >>>>>>>> + msCaseEvalRegex@Base 7.6.2
> >>>>>>>>   msCaseReplaceSubstring@Base 6.2.1
> >>>>>>>>   msCheckLabelMinDistance@Base 7.0.0
> >>>>>>>>   msCheckParentPointer@Base 6.2.1
> >>>>>>>> @@ -1418,6 +1419,7 @@
> >>>>>>>>   msIsGlyphASpace@Base 7.2.0
> >>>>>>>>   msIsLayerQueryable@Base 6.2.1
> >>>>>>>>   msIsOuterRing@Base 6.2.1
> >>>>>>>> + msIsValidRegex@Base 7.6.2
> >>>>>>>
> >>>>>>> This version is not high enough. The symbols need to be marked as
> >>>>>>> requiring 7.6.2-2~
> >>>>>>
> >>>>>> There are no rdeps of mapserver in Debian, so no users of the symbols file.
> >>>>>
> >>>>> It's technically wrong. If you introduce symbols with a patch, the
> >>>>> symbols need to be properly versioned. After all, there is a user of the
> >>>>> symbols file and that is mapserver itself. If you have to introduce
> >>>>> calls to those two symbols outside of libmapserver in the next patch,
> >>>>> the dependency on libmapserver is wrong.
> >>>>
> >>>> libmapserver-dev already depends on libmapserver2 with (=
> >>>> ${binary:Version}).
> >>>>
> >>>> None of the other binary packages require symbols introduced after 7.0.5.
> >>>>
> >>>> All the code using msCaseEvalRegex & msIsValidRegex is within
> >>>> libmapserver itself.
> >>>>
> >>>> While strictly speaking the version in the symbols file should include
> >>>> the revision, its not required in this case because nothing outside
> >>>> libmapserver uses it.
> >>>>
> >>>>>>> Please remove the moreinfo tag once that fixed version is available in
> >>>>>>> unstable.
> >>>>>>
> >>>>>> mapserver (7.6.2-2) has been uploaded to unstable without further
> >>>>>> changes to the symbols file.
> >>>>>
> >>>>> Again, please remove the moreinfo tag only once a fixed version is
> >>>>> available in unstable.
> >>>>
> >>>> There is no need for further changes in unstable.
> >>>
> >>> Sebastian (the release team member), is there anything from the above
> >>> which you still want the maintainer to be adressed? Sebastiaan, my
> >>> unerstanding is that Sebastian wuld like to see the above changes done
> >>> for mapserver to be unblocked.
> >>
> >> That's my understanding too, but the additional information provided
> >> should make clear that those changes are not required.
> > 
> > I think I said it twice (from #988224#24):
> 
> There is no message #24 in #988224.

Sorry, #26: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224#26

> 
> >>>> Please remove the moreinfo tag once that fixed version is available in
> >>>> unstable.
> >>>
> >>> mapserver (7.6.2-2) has been uploaded to unstable without further
> >>> changes to the symbols file.
> >>
> >> Again, please remove the moreinfo tag only once a fixed version is
> >> available in unstable.
> > 
> > I want these symbols fixed.
> 
> There is no need for that.
> 
> Perhaps we should just close this issue as wontfix, I'm not going to
> change the symbols version for pedantic reasons.

If you are unwilling to fix a potential RC bug waiting to happen, then
yes, let's close it.

Cheers

> 
> Kind Regards,
> 
> Bas
> 
> -- 
>  GPG Key ID: 4096R/6750F10AE88D4AF1
> Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
> 

-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

References:
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Bas Couwenberg <sebastic@xs4all.nl>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastian Ramacher <sramacher@debian.org>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastian Ramacher <sramacher@debian.org>
- Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

Prev by Date: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Next by Date: Bug#988578: marked as done (unblock: dmidecode/3.3-2)
Previous by thread: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Next by thread: Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Index(es):
- Date
- Thread