Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-CC: pkg-grass-de...@lists.alioth.debian.org
Dear Release Team, I would like to upload postgis-2.1.4+dfsg-3 for jessie via unstable. This applies a minimally invasive upstream patch to fix a security issue. Upstream keeps the issue classified, see http://trac.osgeo.org/postgis/ticket/3094. AFAIUI a possible DoS is prevented by properly checking JSON input data. Note that the mentioned backend crash effectively means the database will terminate all pending connections, roll back transactions, shut down and go through the usual recovery procedures. Being able to trigger that process just by feeding invalid GeoJSON data (e.g. via a web service) can certainly be considered an effective DoS-Attack. The debdiff is attached. Kind Regards Markus Wanner
diff -Nru postgis-2.1.4+dfsg/debian/changelog postgis-2.1.4+dfsg/debian/changelog --- postgis-2.1.4+dfsg/debian/changelog 2014-10-16 10:37:58.000000000 +0200 +++ postgis-2.1.4+dfsg/debian/changelog 2015-03-31 08:06:43.000000000 +0200 @@ -1,3 +1,11 @@ +postgis (2.1.4+dfsg-3) unstable; urgency=high + + * Add patch geojson-fix-3094.patch, back-ported from the 2.1.7 release, + to fix a crash of the database backend process when given invalid + GeoJSON data. + + -- Markus Wanner <mar...@bluegap.ch> Mon, 30 Mar 2015 19:40:22 +0200 + postgis (2.1.4+dfsg-2) unstable; urgency=medium * Add Dutch translation by Frans Spiesschaert. Closes: #765409. diff -Nru postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch --- postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch 1970-01-01 01:00:00.000000000 +0100 +++ postgis-2.1.4+dfsg/debian/patches/geojson-fix-3094.patch 2015-03-31 08:06:43.000000000 +0200 @@ -0,0 +1,77 @@ +Description: Fix for GeoJSON ingestion + Malformed JSON data used to crash the database backend process and + especially web services use to pass on such JSON data unexamined. +Forwarded: not-needed +Bug: http://trac.osgeo.org/postgis/ticket/3094 +Origin: upstream, http://trac.osgeo.org/postgis/changeset/13400 +Author: Paul Ramsey <pram...@cleverelephant.ca> + +--- a/liblwgeom/lwin_geojson.c ++++ b/liblwgeom/lwin_geojson.c +@@ -59,7 +59,11 @@ + + if( NULL != json_object_get_object(poTmp) ) + { +- assert( NULL != json_object_get_object(poTmp)->head ); ++ if( NULL == json_object_get_object(poTmp)->head ) ++ { ++ geojson_lwerror("invalid GeoJSON representation", 2); ++ return NULL; ++ } + + for( it.entry = json_object_get_object(poTmp)->head; + ( it.entry ? +@@ -90,7 +94,12 @@ + const int nSize = json_object_array_length( poObj ); + LWDEBUGF(3, "parse_geojson_coord called for array size %d.", nSize ); + +- ++ if ( nSize < 2 ) ++ { ++ geojson_lwerror("Too few ordinates in GeoJSON", 4); ++ return LW_FAILURE; ++ } ++ + // Read X coordinate + poObjCoord = json_object_array_get_idx( poObj, 0 ); + pt.x = json_object_get_double( poObjCoord ); +@@ -101,7 +110,7 @@ + pt.y = json_object_get_double( poObjCoord ); + LWDEBUGF(3, "parse_geojson_coord pt.y = %f.", pt.y ); + +- if( nSize == 3 ) /* should this be >= 3 ? */ ++ if( nSize < 2 ) /* should this be >= 3 ? */ + { + // Read Z coordinate + poObjCoord = json_object_array_get_idx( poObj, 2 ); +@@ -109,19 +118,27 @@ + LWDEBUGF(3, "parse_geojson_coord pt.z = %f.", pt.z ); + *hasz = LW_TRUE; + } +- else ++ else if ( nSize == 2 ) + { + *hasz = LW_FALSE; + /* Initialize Z coordinate, if required */ + if ( FLAGS_GET_Z(pa->flags) ) pt.z = 0.0; + } +- +- /* TODO: should we account for nSize > 3 ? */ ++ else ++ { ++ /* TODO: should we account for nSize > 3 ? */ ++ /* more than 3 coordinates, we're just dropping dimensions here... */ ++ } + + /* Initialize M coordinate, if required */ + if ( FLAGS_GET_M(pa->flags) ) pt.m = 0.0; + + } ++ else ++ { ++ /* If it's not an array, just don't handle it */ ++ return LW_FAILURE; ++ } + + return ptarray_append_point(pa, &pt, LW_FALSE); + } diff -Nru postgis-2.1.4+dfsg/debian/patches/series postgis-2.1.4+dfsg/debian/patches/series --- postgis-2.1.4+dfsg/debian/patches/series 2014-09-30 08:02:20.000000000 +0200 +++ postgis-2.1.4+dfsg/debian/patches/series 2015-03-31 08:06:43.000000000 +0200 @@ -9,3 +9,4 @@ correct-java-version.patch strip-invalid-whitespace-in-pom.patch fix-hurd-i386-ftbfs.patch +geojson-fix-3094.patch
signature.asc
Description: OpenPGP digital signature
