Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mapserver The attached debdiff contains two patches. The first fixes a DoS and was reported to me privately by Landry Breuil. The second is not strictly required for unstable, it fixes a FTBFS issue with PHP 5. It is required for the OSGeo-Live derivative which uses the source package maintained in Debian. unblock mapserver/7.0.4-2 Kind Regards, Bas
diff -Nru mapserver-7.0.4/debian/changelog mapserver-7.0.4/debian/changelog --- mapserver-7.0.4/debian/changelog 2017-01-16 19:38:29.000000000 +0100 +++ mapserver-7.0.4/debian/changelog 2017-02-14 18:29:54.000000000 +0100 @@ -1,3 +1,11 @@ +mapserver (7.0.4-2) unstable; urgency=medium + + * Add patch to use include paths from php-config. + * Add patch by Landry Breuil to fix memory corruption/double-free + when LAYERS parameter is specified multiple times. + + -- Bas Couwenberg <sebas...@debian.org> Tue, 14 Feb 2017 18:29:54 +0100 + mapserver (7.0.4-1) unstable; urgency=high * New upstream release. diff -Nru mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch --- mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch 2017-02-14 18:23:46.000000000 +0100 @@ -0,0 +1,25 @@ +Description: Declare nLayerOrder where it's used. + If LAYERS is specified multiple times in the query string, nLayerOrder isnt + reset to 0, and this leads to memory corruption/double-free's upon exit. +Author: Landry Breuil <bre...@craig.fr> +Origin: https://github.com/mapserver/mapserver/commit/132695864b27bb6fced9a866f35365f445889a00 +Bug: https://github.com/mapserver/mapserver/issues/5387 + +--- a/mapwms.c ++++ b/mapwms.c +@@ -791,7 +791,6 @@ int msWMSLoadGetMapParams(mapObj *map, i + const char *wms_request, owsRequestObj *ows_request) + { + int i, adjust_extent = MS_FALSE, nonsquare_enabled = MS_FALSE; +- int nLayerOrder = 0; + int transparent = MS_NOOVERRIDE; + int bbox_pixel_is_point = MS_FALSE; + outputFormatObj *format = NULL; +@@ -870,6 +869,7 @@ int msWMSLoadGetMapParams(mapObj *map, i + + if (strcasecmp(names[i], "LAYERS") == 0) { + int j, k, iLayer, *layerOrder; ++ int nLayerOrder = 0; + char ***nestedGroups = NULL; + int *numNestedGroups = NULL; + int *isUsedInNestedGroup = NULL; diff -Nru mapserver-7.0.4/debian/patches/php-mapscript.patch mapserver-7.0.4/debian/patches/php-mapscript.patch --- mapserver-7.0.4/debian/patches/php-mapscript.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-7.0.4/debian/patches/php-mapscript.patch 2017-02-14 18:24:48.000000000 +0100 @@ -0,0 +1,18 @@ +Description: Use include paths from php-config when include path not found. +Author: Bas Couwenberg <sebas...@debian.org> +Forwarded: https://github.com/mapserver/mapserver/pull/5370 +Applied-Upstream: https://github.com/mapserver/mapserver/commit/37a70fff4ab54f12619833414cb1995643f7a10d + +--- a/cmake/FindPHP5.cmake ++++ b/cmake/FindPHP5.cmake +@@ -86,6 +86,10 @@ IF(PHP5_CONFIG_EXECUTABLE) + + MESSAGE(STATUS ${PHP5_MAIN_INCLUDE_DIR}) + ++ IF(NOT PHP5_INCLUDE_PATH) ++ set(PHP5_INCLUDE_PATH ${PHP5_INCLUDES}) ++ ENDIF(NOT PHP5_INCLUDE_PATH) ++ + IF(PHP5_VERSION LESS 5) + MESSAGE(FATAL_ERROR "PHP version is not 5 or later") + ENDIF(PHP5_VERSION LESS 5) diff -Nru mapserver-7.0.4/debian/patches/series mapserver-7.0.4/debian/patches/series --- mapserver-7.0.4/debian/patches/series 2017-01-07 11:15:20.000000000 +0100 +++ mapserver-7.0.4/debian/patches/series 2017-02-14 18:23:42.000000000 +0100 @@ -2,3 +2,5 @@ perl-mapscript-install.patch ruby-mapscript-install.patch java-hardening.patch +php-mapscript.patch +0001-Declare-nLayerOrder-where-it-s-used.-5387.patch
