Control: tags -1 - moreinfo
On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
>>>> Package: release.debian.org
>>>> Severity: normal
>>>> User: release.debian....@packages.debian.org
>>>> Usertags: unblock
>>>>
>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in
>>>> #988208.
>>>>
>>>> [ Reason ]
>>>> Fix security issue.
>>>>
>>>> [ Impact ]
>>>> Unfixed security issue.
>>>>
>>>> [ Tests ]
>>>> Upstream CI.
>>>>
>>>> [ Risks ]
>>>> Low, leaf package.
>>>>
>>>> [ Checklist ]
>>>> [x] all changes are documented in the d/changelog
>>>> [x] I reviewed all changes and I approve them
>>>> [x] attach debdiff against the package in testing
>>>>
>>>> [ Other info ]
>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is
>>>> required as a dependency of
>>>> 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
>>>>
>>>> unblock mapserver/7.6.2-2
>>>
>>>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
>>>> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000
>>>> +0100
>>>> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000
>>>> +0200
>>>> @@ -1,3 +1,12 @@
>>>> +mapserver (7.6.2-2) unstable; urgency=high
>>>> +
>>>> + * Drop unused lintian overrides.
>>>> + * Add upstream patches to fix CVE-2021-32062.
>>>> + (closes: #988208)
>>>> + * Update symbols file.
>>>> +
>>>> + -- Bas Couwenberg <sebas...@debian.org> Sat, 08 May 2021 07:12:18 +0200
>>>> +
>>>> mapserver (7.6.2-1) unstable; urgency=medium
>>>>
>>>> * Update symbols for other architectures.
>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides
>>>> mapserver-7.6.2/debian/libmapserver2.lintian-overrides
>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06
>>>> 05:34:57.000000000 +0200
>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01
>>>> 01:00:00.000000000 +0100
>>>> @@ -1,3 +0,0 @@
>>>> -# Cannot easily be fixed
>>>> -file-references-package-build-path *
>>>> -
>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols
>>>> mapserver-7.6.2/debian/libmapserver2.symbols
>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09
>>>> 06:00:39.000000000 +0100
>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08
>>>> 07:11:08.000000000 +0200
>>>> @@ -945,6 +945,7 @@
>>>> msCSVJoinPrepare@Base 6.2.1
>>>> msCairoCleanup@Base 6.2.1
>>>> msCalculateScale@Base 6.2.1
>>>> + msCaseEvalRegex@Base 7.6.2
>>>> msCaseReplaceSubstring@Base 6.2.1
>>>> msCheckLabelMinDistance@Base 7.0.0
>>>> msCheckParentPointer@Base 6.2.1
>>>> @@ -1418,6 +1419,7 @@
>>>> msIsGlyphASpace@Base 7.2.0
>>>> msIsLayerQueryable@Base 6.2.1
>>>> msIsOuterRing@Base 6.2.1
>>>> + msIsValidRegex@Base 7.6.2
>>>
>>> This version is not high enough. The symbols need to be marked as
>>> requiring 7.6.2-2~
>>
>> There are no rdeps of mapserver in Debian, so no users of the symbols file.
>
> It's technically wrong. If you introduce symbols with a patch, the
> symbols need to be properly versioned. After all, there is a user of the
> symbols file and that is mapserver itself. If you have to introduce
> calls to those two symbols outside of libmapserver in the next patch,
> the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).
None of the other binary packages require symbols introduced after 7.0.5.
All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.
While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
>>> Please remove the moreinfo tag once that fixed version is available in
>>> unstable.
>>
>> mapserver (7.6.2-2) has been uploaded to unstable without further
>> changes to the symbols file.
>
> Again, please remove the moreinfo tag only once a fixed version is
> available in unstable.
There is no need for further changes in unstable.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
