Dear LTS Team, Today the MapServer team has announced the release of version 7.0.4 which fixes CVE-2017-5522 (stack buffer overflow). To quote the release announcement [0]:
" Today the project team released versions 6.0.6, 6.2.4, 6.4.5 and 7.0.4 of MapServer. This is primarily a security release to address CVE-2017-5522. That issue involves a buffer overflow identified by MapServer developers associated with specific WFS get feature requests. " I've already updated the package in unstable, and have cherry-picked the commit fixing the issue for the package in jessie (6.4.1-5+deb8u3) & wheezy (6.0.1-3.2+deb7u3). See the attached debdiff. The issue may be remotely exploitable with specifically crafted WFS requests. Affected versions: * wheezy: 6.0.1-3.2+deb7u3 Fixed versions: * wheezy: 6.0.1-3.2+deb7u4 Are these changes OK for wheezy-security? [0] https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog --- mapserver-6.0.1/debian/changelog 2016-12-06 23:42:41.000000000 +0100 +++ mapserver-6.0.1/debian/changelog 2017-01-18 21:47:34.000000000 +0100 @@ -1,3 +1,9 @@ +mapserver (6.0.1-3.2+deb7u4) wheezy-security; urgency=high + + * Add upstream patch to fix CVE-2017-5522 (stack buffer overflow). + + -- Bas Couwenberg <sebas...@debian.org> Wed, 18 Jan 2017 21:47:28 +0100 + mapserver (6.0.1-3.2+deb7u3) wheezy-security; urgency=high * Add upstream patch to fix CVE-2016-9839. diff -Nru mapserver-6.0.1/debian/patches/CVE-2017-5522.patch mapserver-6.0.1/debian/patches/CVE-2017-5522.patch --- mapserver-6.0.1/debian/patches/CVE-2017-5522.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-6.0.1/debian/patches/CVE-2017-5522.patch 2017-01-18 21:46:57.000000000 +0100 @@ -0,0 +1,29 @@ +Description: security fix (patch by EvenR) + Fixes CVE-2017-5522 (stack buffer overflow) +Author: Even Rouault <even.roua...@spatialys.com> +Origin: https://github.com/mapserver/mapserver/commit/cf7a13e62e5c56e4c7f455c1c38037a96dd1019d + +--- a/mapogcfilter.c ++++ b/mapogcfilter.c +@@ -2874,6 +2874,9 @@ char *FLTGetIsLikeComparisonExpression(F + + pszValue = psFilterNode->psRightNode->pszValue; + nLength = strlen(pszValue); ++ ++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) ) ++ return NULL; + + iTmp =0; + if (nLength > 0 && pszValue[0] != pszWild[0] && +--- a/mapogcfiltercommon.c ++++ b/mapogcfiltercommon.c +@@ -146,6 +146,9 @@ char *FLTGetIsLikeComparisonCommonExpres + + pszValue = psFilterNode->psRightNode->pszValue; + nLength = strlen(pszValue); ++ ++ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) ) ++ return NULL; + + iTmp =0; + if (nLength > 0 && pszValue[0] != pszWild[0] && diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series --- mapserver-6.0.1/debian/patches/series 2016-12-06 23:42:41.000000000 +0100 +++ mapserver-6.0.1/debian/patches/series 2017-01-18 21:44:14.000000000 +0100 @@ -4,3 +4,4 @@ contenttype cve-2013-7262 0001-Backport-4928-and-5356.patch +CVE-2017-5522.patch
