Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:mapserver User: [email protected] Usertags: pu
[ Reason ] Fix <no-dsa> issue CVE-2026-33721. [ Impact ] Users will remain vulnerable to CVE-2026-33721, and will regress when upgrading (a fix was uploaded to Bullseye LTS and Bookworm modulo os-pu bug #1131735). [ Tests ] POC at https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp and manual msautotests run. [ Risks ] Trivial fix. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] * Fix CVE-2026-33721: Heap buffer overflow in Styled Layer Descriptor (SLD) `Categorize` Threshold parsing. * Add d/salsa-ci.yml for Salsa CI. [ Other info ] Debusine results: https://debusine.debian.net/debian/developers/work-request/659132/ Tags and individual commits can be found on the LTS team fork: https://salsa.debian.org/lts-team/packages/mapserver/-/commits/debian/trixie?ref_type=heads -- Guilhem.
diffstat for mapserver-8.4.0 mapserver-8.4.0 changelog | 9 +++++++++ patches/CVE-2026-33721.patch | 29 +++++++++++++++++++++++++++++ patches/series | 1 + salsa-ci.yml | 9 +++++++++ 4 files changed, 48 insertions(+) diff -Nru mapserver-8.4.0/debian/changelog mapserver-8.4.0/debian/changelog --- mapserver-8.4.0/debian/changelog 2025-09-22 00:31:40.000000000 +0200 +++ mapserver-8.4.0/debian/changelog 2026-05-03 15:37:57.000000000 +0200 @@ -1,3 +1,12 @@ +mapserver (8.4.0-4+deb13u2) trixie; urgency=high + + * Non-maintainer upload. + * Fix CVE-2026-33721: Heap buffer overflow in SLD `Categorize` Threshold + parsing. + * Add d/salsa-ci.yml for Salsa CI. + + -- Guilhem Moulin <[email protected]> Sun, 03 May 2026 15:37:57 +0200 + mapserver (8.4.0-4+deb13u1) trixie; urgency=medium * Update branch in gbp.conf & Vcs-Git URL. diff -Nru mapserver-8.4.0/debian/patches/CVE-2026-33721.patch mapserver-8.4.0/debian/patches/CVE-2026-33721.patch --- mapserver-8.4.0/debian/patches/CVE-2026-33721.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-8.4.0/debian/patches/CVE-2026-33721.patch 2026-05-03 15:37:57.000000000 +0200 @@ -0,0 +1,29 @@ +From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> +Date: Mon, 23 Mar 2026 12:30:09 -0300 +Subject: msSLDParseRasterSymbolizer(): fix potential heap buffer overflow + +Credits to Trail of Bits and Anthropic for reporting and patch +suggestion + +Co-authored-by: Even Rouault <[email protected]> +Origin: https://github.com/MapServer/MapServer/commit/fb08dad4afee081b81c57ca0c5d37c149e7755f9 +Bug: https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp +Bug: https://github.com/MapServer/MapServer/pull/7461 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-33721 +--- + src/mapogcsld.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mapogcsld.cpp b/src/mapogcsld.cpp +index 15ca80d..4c5ed64 100644 +--- a/src/mapogcsld.cpp ++++ b/src/mapogcsld.cpp +@@ -2894,7 +2894,7 @@ int msSLDParseRasterSymbolizer(CPLXMLNode *psRoot, layerObj *psLayer, + } else if (strcasecmp(psNode->pszValue, "Threshold") == 0) { + papszThresholds[nThresholds] = psNode->psChild->pszValue; + nThresholds++; +- if (nValues == nMaxThreshold) { ++ if (nThresholds == nMaxThreshold) { + nMaxThreshold += 100; + papszThresholds = (char **)msSmallRealloc( + papszThresholds, sizeof(char *) * nMaxThreshold); diff -Nru mapserver-8.4.0/debian/patches/series mapserver-8.4.0/debian/patches/series --- mapserver-8.4.0/debian/patches/series 2025-09-22 00:31:40.000000000 +0200 +++ mapserver-8.4.0/debian/patches/series 2026-05-03 15:37:57.000000000 +0200 @@ -2,3 +2,4 @@ java-hardening.patch icu.patch CVE-2025-59431.patch +CVE-2026-33721.patch diff -Nru mapserver-8.4.0/debian/salsa-ci.yml mapserver-8.4.0/debian/salsa-ci.yml --- mapserver-8.4.0/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-8.4.0/debian/salsa-ci.yml 2026-05-03 15:37:57.000000000 +0200 @@ -0,0 +1,9 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'trixie' + SALSA_CI_DISABLE_LINTIAN: 1 + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_BLHC: 1
signature.asc
Description: PGP signature
