Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
To fix CVE-2016-9839 I'd like to update mapserver in jessie via
proposed-dates as the security team did not consider it severe enough
for a DSA, see:
https://lists.debian.org/debian-gis/2016/12/msg00001.html
Kind Regards,
Bas
diff -Nru mapserver-6.4.1/debian/changelog mapserver-6.4.1/debian/changelog
--- mapserver-6.4.1/debian/changelog 2014-07-05 17:32:59.000000000 +0200
+++ mapserver-6.4.1/debian/changelog 2016-12-05 23:54:59.000000000 +0100
@@ -1,3 +1,9 @@
+mapserver (6.4.1-5+deb8u1) jessie-security; urgency=high
+
+ * Add upstream patch to fix CVE-2016-9839.
+
+ -- Bas Couwenberg <sebas...@debian.org> Mon, 05 Dec 2016 22:05:30 +0100
+
mapserver (6.4.1-5) unstable; urgency=medium
* Add debug package for libmapserver. Thanks to Frederic Junod for the patch.
diff -Nru mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch
--- mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-6.4.1/debian/patches/0001-Backport-4928-and-5356.patch 2016-12-05 23:53:24.000000000 +0100
@@ -0,0 +1,120 @@
+From 022d24bd34196b6dca67053fb797a6980210bc54 Mon Sep 17 00:00:00 2001
+From: Thomas Bonfort <thomas.bonf...@gmail.com>
+Date: Thu, 1 Dec 2016 18:59:05 +0100
+Subject: Backport #4928 and #5356
+
+---
+ mapogr.cpp | 52 ++++++++++++++++++++++++++++------------------------
+ mappostgis.c | 4 ++--
+ 2 files changed, 30 insertions(+), 26 deletions(-)
+
+--- a/mapogr.cpp
++++ b/mapogr.cpp
+@@ -1118,18 +1118,15 @@ msOGRFileOpen(layerObj *layer, const cha
+ RELEASE_OGR_LOCK;
+
+ if( hDS == NULL ) {
+- if( strlen(CPLGetLastErrorMsg()) == 0 )
+- msSetError(MS_OGRERR,
+- "Open failed for OGR connection in layer `%s'. "
+- "File not found or unsupported format.",
+- "msOGRFileOpen()",
+- layer->name?layer->name:"(null)" );
+- else
+- msSetError(MS_OGRERR,
+- "Open failed for OGR connection in layer `%s'.\n%s\n",
+- "msOGRFileOpen()",
+- layer->name?layer->name:"(null)",
+- CPLGetLastErrorMsg() );
++ msSetError(MS_OGRERR,
++ "Open failed for OGR connection in layer `%s'. "
++ "Check logs.",
++ "msOGRFileOpen()",
++ layer->name?layer->name:"(null)" );
++ if( strlen(CPLGetLastErrorMsg()) != 0 )
++ msDebug("Open failed for OGR connection in layer `%s'.\n%s\n",
++ layer->name?layer->name:"(null)",
++ CPLGetLastErrorMsg() );
+ CPLFree( pszDSName );
+ CPLFree( pszLayerDef );
+ return NULL;
+@@ -1154,10 +1151,13 @@ msOGRFileOpen(layerObj *layer, const cha
+ ACQUIRE_OGR_LOCK;
+ hLayer = OGR_DS_ExecuteSQL( hDS, pszLayerDef, NULL, NULL );
+ if( hLayer == NULL ) {
+- msSetError(MS_OGRERR,
+- "ExecuteSQL(%s) failed.\n%s",
+- "msOGRFileOpen()",
+- pszLayerDef, CPLGetLastErrorMsg() );
++ msSetError(MS_OGRERR,
++ "ExecuteSQL(%s) failed. Check logs",
++ "msOGRFileOpen()",
++ pszLayerDef);
++ msDebug(
++ "ExecuteSQL(%s) failed.\n%s",
++ pszLayerDef, CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ msConnPoolRelease( layer, hDS );
+ CPLFree( pszLayerDef );
+@@ -1189,9 +1189,11 @@ msOGRFileOpen(layerObj *layer, const cha
+ }
+
+ if (hLayer == NULL) {
+- msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.",
+- "msOGRFileOpen()",
+- pszLayerDef, connection );
++ msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.",
++ "msOGRFileOpen()",
++ pszLayerDef);
++ msDebug("GetLayer(%s) failed for OGR connection `%s'.",
++ pszLayerDef, connection );
+ CPLFree( pszLayerDef );
+ msConnPoolRelease( layer, hDS );
+ return NULL;
+@@ -1356,10 +1358,12 @@ static int msOGRFileWhichShapes(layerObj
+ if( OGR_L_SetAttributeFilter( psInfo->hLayer, layer->filter.string+6 )
+ != OGRERR_NONE ) {
+ msSetError(MS_OGRERR,
+- "SetAttributeFilter(%s) failed on layer %s.\n%s",
++ "SetAttributeFilter(%s) failed on layer %s.",
+ "msOGRFileWhichShapes()",
+- layer->filter.string+6, layer->name?layer->name:"(null)",
+- CPLGetLastErrorMsg() );
++ layer->filter.string+6, layer->name?layer->name:"(null)");
++ msDebug("SetAttributeFilter(%s) failed on layer %s.\n%s",
++ layer->filter.string+6, layer->name?layer->name:"(null)",
++ CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ return MS_FAILURE;
+ }
+@@ -1562,8 +1566,8 @@ msOGRFileNextShape(layerObj *layer, shap
+ if( (hFeature = OGR_L_GetNextFeature( psInfo->hLayer )) == NULL ) {
+ psInfo->last_record_index_read = -1;
+ if( CPLGetLastErrorType() == CE_Failure ) {
+- msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()",
+- CPLGetLastErrorMsg() );
++ msSetError(MS_OGRERR, "OGR error. check logs", "msOGRFileNextShape()");
++ msDebug("msOGRFileNextShape() error: %s", CPLGetLastErrorMsg() );
+ RELEASE_OGR_LOCK;
+ return MS_FAILURE;
+ } else {
+--- a/mappostgis.c
++++ b/mappostgis.c
+@@ -2305,7 +2305,8 @@ int msPostGISLayerOpen(layerObj *layer)
+ }
+ }
+
+- msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata);
++ msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata);
++ msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()");
+
+ free(maskeddata);
+ free(layerinfo);
+@@ -2327,7 +2328,6 @@ int msPostGISLayerOpen(layerObj *layer)
+ msSetError(MS_QUERYERR, "PostgreSQL database connection gone bad (%s)", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn));
+ return MS_FAILURE;
+ }
+-
+ }
+ }
+
diff -Nru mapserver-6.4.1/debian/patches/series mapserver-6.4.1/debian/patches/series
--- mapserver-6.4.1/debian/patches/series 2014-07-05 17:32:59.000000000 +0200
+++ mapserver-6.4.1/debian/patches/series 2016-12-05 23:54:14.000000000 +0100
@@ -5,3 +5,4 @@
cmake-mapserver-export.patch
java-hardening.patch
php56.patch
+0001-Backport-4928-and-5356.patch
_______________________________________________
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
