Dear Security Team, After noticing the mapproxy security issue in the tracker I've gone ahead and backported the upstream patch for the 1.9.0 package in stretch. See the attached debdiff.
Is this okay to upload to security-master? Kind Regards, Bas
diff -Nru mapproxy-1.9.0/debian/changelog mapproxy-1.9.0/debian/changelog --- mapproxy-1.9.0/debian/changelog 2016-08-22 11:56:27.000000000 +0200 +++ mapproxy-1.9.0/debian/changelog 2018-01-07 09:33:15.000000000 +0100 @@ -1,3 +1,11 @@ +mapproxy (1.9.0-3+deb9u1) stretch-security; urgency=high + + * Update branch in gbp.conf & Vcs-Git URL. + * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. + Fixes CVE-2017-1000426. + + -- Bas Couwenberg <[email protected]> Sun, 07 Jan 2018 09:33:15 +0100 + mapproxy (1.9.0-3) unstable; urgency=medium * Add access_contraints patch ignored by .gitignore. diff -Nru mapproxy-1.9.0/debian/control mapproxy-1.9.0/debian/control --- mapproxy-1.9.0/debian/control 2016-08-14 12:48:50.000000000 +0200 +++ mapproxy-1.9.0/debian/control 2018-01-07 09:33:15.000000000 +0100 @@ -37,7 +37,7 @@ xsltproc Standards-Version: 3.9.8 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/mapproxy.git -Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git +Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git -b stretch Homepage: http://mapproxy.org/ X-Python-Version: >= 2.7 diff -Nru mapproxy-1.9.0/debian/gbp.conf mapproxy-1.9.0/debian/gbp.conf --- mapproxy-1.9.0/debian/gbp.conf 2016-08-14 12:48:50.000000000 +0200 +++ mapproxy-1.9.0/debian/gbp.conf 2018-01-07 09:33:15.000000000 +0100 @@ -6,7 +6,7 @@ # The default name for the Debian branch is "master". # Change it if the name is different (for instance, "debian/unstable"). -debian-branch = master +debian-branch = stretch # git-import-orig uses the following names for the upstream tags. # Change the value if you are not using git-import-orig diff -Nru mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch --- mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 2018-01-07 09:33:15.000000000 +0100 @@ -0,0 +1,66 @@ +Description: demo: escape args to avoid XSS + Fixes CVE-2017-1000426, +Author: Oliver Tonnhofer <[email protected]> +Origin: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28 + +--- a/mapproxy/service/demo.py ++++ b/mapproxy/service/demo.py +@@ -22,6 +22,7 @@ import os + import pkg_resources + import mimetypes + from collections import defaultdict ++from xml.sax.saxutils import escape + + from mapproxy.config.config import base_config + from mapproxy.compat import PY2 +@@ -108,7 +109,10 @@ class DemoServer(Server): + demo = self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 'WMTS', url) + elif 'tms_capabilities' in req.args: + if 'layer' in req.args and 'srs' in req.args: +- url = '%s/tms/1.0.0/%s/%s'%(req.script_url, req.args['layer'], req.args['srs']) ++ # prevent dir traversal (seems it's not possible with urllib2, but better safe then sorry) ++ layer = req.args['layer'].replace('..', '') ++ srs = req.args['srs'].replace('..', '') ++ url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs) + else: + url = '%s/tms/1.0.0/'%(req.script_url) + capabilities = urllib2.urlopen(url) +@@ -171,14 +175,14 @@ class DemoServer(Server): + def _render_wms_template(self, template, req): + template = get_template(template, default_inherit="demo/static.html") + layer = self.layers[req.args['wms_layer']] +- srs = req.args['srs'] ++ srs = escape(req.args['srs']) + bbox = layer.extent.bbox_for(SRS(srs)) + width = bbox[2] - bbox[0] + height = bbox[3] - bbox[1] + min_res = max(width/256, height/256) + return template.substitute(layer=layer, + image_formats=self.image_formats, +- format=req.args['format'], ++ format=escape(req.args['format']), + srs=srs, + layer_srs=self.layer_srs, + bbox=bbox, +@@ -202,8 +206,8 @@ class DemoServer(Server): + else: + add_res_to_options = False + return template.substitute(layer=tile_layer, +- srs=req.args['srs'], +- format=req.args['format'], ++ srs=escape(req.args['srs']), ++ format=escape(req.args['format']), + resolutions=res, + units=units, + add_res_to_options=add_res_to_options, +@@ -223,8 +227,8 @@ class DemoServer(Server): + units = 'm' + return template.substitute(layer=wmts_layer, + matrix_set=wmts_layer.grid.name, +- format=req.args['format'], +- srs=req.args['srs'], ++ format=escape(req.args['format']), ++ srs=escape(req.args['srs']), + resolutions=wmts_layer.grid.resolutions, + units=units, + all_tile_layers=self.tile_layers, diff -Nru mapproxy-1.9.0/debian/patches/series mapproxy-1.9.0/debian/patches/series --- mapproxy-1.9.0/debian/patches/series 2016-08-22 11:56:27.000000000 +0200 +++ mapproxy-1.9.0/debian/patches/series 2018-01-07 09:33:15.000000000 +0100 @@ -2,3 +2,4 @@ 0001-use-dummy-access_contraints-to-clarify-license.patch disable-tag_date.patch configuration-typo.patch +0001-demo-escape-args-to-avoid-XSS.patch
