[Git][debian-gis-team/mapserver][buster-backports] 2 commits: Add upstream patch to fix PHPMapScript error handling vulnerabilities.

Fri Mar 20 20:06:39 GMT 2020


Bas Couwenberg pushed to branch buster-backports at Debian GIS Project / mapserver


Commits:
c111781d by Bas Couwenberg at 2020-03-20T20:53:38+01:00
Add upstream patch to fix PHPMapScript error handling vulnerabilities.

- - - - -
f805ff79 by Bas Couwenberg at 2020-03-20T20:54:29+01:00
Set distribution to buster-backports.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/mapscript-buffer-overflow.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+mapserver (7.4.3-1~bpo10+2) buster-backports; urgency=high
+
+  * Add upstream patch to fix PHPMapScript error handling vulnerabilities.
+
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 20 Mar 2020 20:53:42 +0100
+
 mapserver (7.4.3-1~bpo10+1) buster-backports; urgency=medium
 
   * Rebuild for buster-backports.


=====================================
debian/patches/mapscript-buffer-overflow.patch
=====================================
@@ -0,0 +1,62 @@
+Description: Fix PHPMapScript vulnerabilities in error handling.
+Author: Jeff McKenna <jmckenna at gatewaygeomatics.com>
+Bug: https://github.com/mapserver/mapserver/issues/6014
+
+--- a/mapscript/php/mapscript_error.c
++++ b/mapscript/php/mapscript_error.c
+@@ -35,8 +35,6 @@
+ #include <stdarg.h>
+ #include "../../maperror.h"
+ 
+-#define MAX_EXCEPTION_MSG 256
+-
+ zend_class_entry *mapscript_ce_mapscriptexception;
+ 
+ #if  PHP_VERSION_ID >= 70000
+@@ -46,9 +44,10 @@ zval* mapscript_throw_exception(char *fo
+ #endif
+ {
+   va_list args;
+-  char message[MAX_EXCEPTION_MSG];
++  char message[MESSAGELENGTH];
+   va_start(args, format);
+-  vsprintf(message, format, args);
++  //prevent buffer overflow
++  vsnprintf(message, MESSAGELENGTH, format, args);
+   va_end(args);
+   return zend_throw_exception(mapscript_ce_mapscriptexception, message, 0 TSRMLS_CC);
+ }
+@@ -60,7 +59,7 @@ zval* mapscript_throw_mapserver_exceptio
+ #endif
+ {
+   va_list args;
+-  char message[MAX_EXCEPTION_MSG];
++  char message[MESSAGELENGTH];
+   errorObj *ms_error;
+ 
+   ms_error = msGetErrorObj();
+@@ -73,17 +72,20 @@ zval* mapscript_throw_mapserver_exceptio
+   }
+ 
+   va_start(args, format);
+-  vsprintf(message, format, args);
++  //prevent buffer overflow
++  vsnprintf(message, MESSAGELENGTH, format, args);
+   va_end(args);
+-  return mapscript_throw_exception(message TSRMLS_CC);
++  //prevent format string attack
++  return mapscript_throw_exception("%s", message TSRMLS_CC);
+ }
+ 
+ void mapscript_report_php_error(int error_type, char *format TSRMLS_DC, ...)
+ {
+   va_list args;
+-  char message[MAX_EXCEPTION_MSG];
++  char message[MESSAGELENGTH];
+   va_start(args, format);
+-  vsprintf(message, format, args);
++  //prevent buffer overflow
++  vsnprintf(message, MESSAGELENGTH, format, args); 
+   va_end(args);
+   php_error_docref(NULL TSRMLS_CC, error_type, "%s,", message);
+ }


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 perl-mapscript-install.patch
 java-hardening.patch
+mapscript-buffer-overflow.patch



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/10ced127578184356dd488181776f79741d79187...f805ff79fac76591d9390459d51b22b82716d13a

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/10ced127578184356dd488181776f79741d79187...f805ff79fac76591d9390459d51b22b82716d13a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20200320/bf629ed5/attachment-0001.html>
