[Git][debian-gis-team/mapserver][master] 5 commits: New upstream version 7.4.4
Bas Couwenberg
gitlab at salsa.debian.org
Fri Mar 20 20:37:00 GMT 2020
Bas Couwenberg pushed to branch master at Debian GIS Project / mapserver
Commits:
0618089a by Bas Couwenberg at 2020-03-20T21:13:31+01:00
New upstream version 7.4.4
- - - - -
6724c015 by Bas Couwenberg at 2020-03-20T21:13:46+01:00
Update upstream source from tag 'upstream/7.4.4'
Update to upstream version '7.4.4'
with Debian dir 06fc18a52a87bc9994a9530217f27c62a19bd4cb
- - - - -
c14a763c by Bas Couwenberg at 2020-03-20T21:14:04+01:00
New upstream release.
- - - - -
152f8db2 by Bas Couwenberg at 2020-03-20T21:15:35+01:00
Drop mapscript-buffer-overflow.patch, included upstream.
- - - - -
80796225 by Bas Couwenberg at 2020-03-20T21:16:02+01:00
Set distribution to unstable.
- - - - -
12 changed files:
- CMakeLists.txt
- HISTORY.TXT
- debian/changelog
- − debian/patches/mapscript-buffer-overflow.patch
- debian/patches/series
- mapgdal.c
- mapogroutput.c
- maprasterquery.c
- mapresample.c
- mapscript/php/mapscript_error.c
- mapsymbol.c
- mapwfslayer.c
Changes:
=====================================
CMakeLists.txt
=====================================
@@ -17,7 +17,7 @@ include(CheckCSourceCompiles)
set (MapServer_VERSION_MAJOR 7)
set (MapServer_VERSION_MINOR 4)
-set (MapServer_VERSION_REVISION 3)
+set (MapServer_VERSION_REVISION 4)
set (MapServer_VERSION_SUFFIX "")
set(TARGET_VERSION_MAJOR ${MapServer_VERSION_MAJOR})
=====================================
HISTORY.TXT
=====================================
@@ -12,6 +12,11 @@ For a complete change history, please see the Git log comments. For more
details about recent point releases, please see the online changelog at:
http://mapserver.org/development/changelog/
+7.4.4 release (2020-3-20)
+-------------------------
+
+- Security release, see ticket #6014 for more information.
+
7.4.3 release (2019-12-16)
--------------------------
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+mapserver (7.4.4-1) unstable; urgency=high
+
+ * New upstream release.
+ * Drop mapscript-buffer-overflow.patch, included upstream.
+
+ -- Bas Couwenberg <sebastic at debian.org> Fri, 20 Mar 2020 21:15:45 +0100
+
mapserver (7.4.3-3) unstable; urgency=high
* Bump debhelper compat to 10, changes:
=====================================
debian/patches/mapscript-buffer-overflow.patch deleted
=====================================
@@ -1,62 +0,0 @@
-Description: Fix PHPMapScript vulnerabilities in error handling.
-Author: Jeff McKenna <jmckenna at gatewaygeomatics.com>
-Bug: https://github.com/mapserver/mapserver/issues/6014
-
---- a/mapscript/php/mapscript_error.c
-+++ b/mapscript/php/mapscript_error.c
-@@ -35,8 +35,6 @@
- #include <stdarg.h>
- #include "../../maperror.h"
-
--#define MAX_EXCEPTION_MSG 256
--
- zend_class_entry *mapscript_ce_mapscriptexception;
-
- #if PHP_VERSION_ID >= 70000
-@@ -46,9 +44,10 @@ zval* mapscript_throw_exception(char *fo
- #endif
- {
- va_list args;
-- char message[MAX_EXCEPTION_MSG];
-+ char message[MESSAGELENGTH];
- va_start(args, format);
-- vsprintf(message, format, args);
-+ //prevent buffer overflow
-+ vsnprintf(message, MESSAGELENGTH, format, args);
- va_end(args);
- return zend_throw_exception(mapscript_ce_mapscriptexception, message, 0 TSRMLS_CC);
- }
-@@ -60,7 +59,7 @@ zval* mapscript_throw_mapserver_exceptio
- #endif
- {
- va_list args;
-- char message[MAX_EXCEPTION_MSG];
-+ char message[MESSAGELENGTH];
- errorObj *ms_error;
-
- ms_error = msGetErrorObj();
-@@ -73,17 +72,20 @@ zval* mapscript_throw_mapserver_exceptio
- }
-
- va_start(args, format);
-- vsprintf(message, format, args);
-+ //prevent buffer overflow
-+ vsnprintf(message, MESSAGELENGTH, format, args);
- va_end(args);
-- return mapscript_throw_exception(message TSRMLS_CC);
-+ //prevent format string attack
-+ return mapscript_throw_exception("%s", message TSRMLS_CC);
- }
-
- void mapscript_report_php_error(int error_type, char *format TSRMLS_DC, ...)
- {
- va_list args;
-- char message[MAX_EXCEPTION_MSG];
-+ char message[MESSAGELENGTH];
- va_start(args, format);
-- vsprintf(message, format, args);
-+ //prevent buffer overflow
-+ vsnprintf(message, MESSAGELENGTH, format, args);
- va_end(args);
- php_error_docref(NULL TSRMLS_CC, error_type, "%s,", message);
- }
=====================================
debian/patches/series
=====================================
@@ -1,4 +1,3 @@
perl-mapscript-install.patch
java-hardening.patch
swig-4.0.1.patch
-mapscript-buffer-overflow.patch
=====================================
mapgdal.c
=====================================
@@ -155,6 +155,7 @@ int msSaveImageGDAL( mapObj *map, imageObj *image, const char *filenameIn )
int bUseXmp = MS_FALSE;
const char *filename = NULL;
char *filenameToFree = NULL;
+ const char *gdal_driver_shortname = format->driver+5;
msGDALInitialize();
memset(&rb,0,sizeof(rasterBufferObj));
@@ -170,11 +171,11 @@ int msSaveImageGDAL( mapObj *map, imageObj *image, const char *filenameIn )
/* Identify the proposed output driver. */
/* -------------------------------------------------------------------- */
msAcquireLock( TLOCK_GDAL );
- hOutputDriver = GDALGetDriverByName( format->driver+5 );
+ hOutputDriver = GDALGetDriverByName( gdal_driver_shortname );
if( hOutputDriver == NULL ) {
msReleaseLock( TLOCK_GDAL );
msSetError( MS_MISCERR, "Failed to find %s driver.",
- "msSaveImageGDAL()", format->driver+5 );
+ "msSaveImageGDAL()", gdal_driver_shortname );
return MS_FAILURE;
}
@@ -190,8 +191,12 @@ int msSaveImageGDAL( mapObj *map, imageObj *image, const char *filenameIn )
if( pszExtension == NULL )
pszExtension = "img.tmp";
- if( bUseXmp == MS_FALSE && GDALGetMetadataItem( hOutputDriver, GDAL_DCAP_VIRTUALIO, NULL )
- != NULL ) {
+ if( bUseXmp == MS_FALSE &&
+ GDALGetMetadataItem( hOutputDriver, GDAL_DCAP_VIRTUALIO, NULL ) != NULL &&
+ /* We need special testing here for the netCDF driver, since recent */
+ /* GDAL versions advertize VirtualIO support, but this is only for the */
+ /* read-side of the driver, not the write-side. */
+ !EQUAL(gdal_driver_shortname, "netCDF") ) {
msCleanVSIDir( "/vsimem/msout" );
filenameToFree = msTmpFile(map, NULL, "/vsimem/msout/", pszExtension );
}
=====================================
mapogroutput.c
=====================================
@@ -892,7 +892,7 @@ int msOGRWriteFromQuery( mapObj *map, outputFormatObj *format, int sendheaders )
/* Process each layer with a resultset. */
/* ==================================================================== */
for( iLayer = 0; iLayer < map->numlayers; iLayer++ ) {
- int status;
+ int status = 0;
layerObj *layer = GET_LAYER(map, iLayer);
shapeObj resultshape;
OGRLayerH hOGRLayer;
@@ -1103,20 +1103,21 @@ int msOGRWriteFromQuery( mapObj *map, outputFormatObj *format, int sendheaders )
if( layer->resultcache->results[i].shape )
{
/* msDebug("Using cached shape %ld\n", layer->resultcache->results[i].shapeindex); */
- msCopyShape(layer->resultcache->results[i].shape, &resultshape);
+ status = msCopyShape(layer->resultcache->results[i].shape, &resultshape);
}
else
{
- status = msLayerGetShape(layer, &resultshape, &(layer->resultcache->results[i]));
- if(status != MS_SUCCESS) {
- OGR_DS_Destroy( hDS );
- msOGRCleanupDS( datasource_name );
- msGMLFreeItems(item_list);
- msFreeShape(&resultshape);
- CSLDestroy(layer_options);
- return status;
- }
+ status = msLayerGetShape(layer, &resultshape, &(layer->resultcache->results[i]));
}
+
+ if(status != MS_SUCCESS) {
+ OGR_DS_Destroy( hDS );
+ msOGRCleanupDS( datasource_name );
+ msGMLFreeItems(item_list);
+ msFreeShape(&resultshape);
+ CSLDestroy(layer_options);
+ return status;
+ }
/*
** Perform classification, and some annotation related magic.
=====================================
maprasterquery.c
=====================================
@@ -417,6 +417,9 @@ msRasterQueryByRectLow(mapObj *map, layerObj *layer, GDALDatasetH hDS,
CPLErr eErr;
rasterLayerInfo *rlinfo;
rectObj searchrect;
+#if PROJ_VERSION_MAJOR < 6
+ int mayNeedLonWrapAdjustment = MS_FALSE;
+#endif
rlinfo = (rasterLayerInfo *) layer->layerinfo;
@@ -555,6 +558,16 @@ msRasterQueryByRectLow(mapObj *map, layerObj *layer, GDALDatasetH hDS,
+ sqrt( rlinfo->range_dist );
dfAdjustedRange = dfAdjustedRange * dfAdjustedRange;
+#if PROJ_VERSION_MAJOR < 6
+ if( layer->project &&
+ pj_is_latlong(layer->projection.proj) &&
+ pj_is_latlong(map->projection.proj) )
+ {
+ double dfLonWrap = 0;
+ mayNeedLonWrapAdjustment = msProjectHasLonWrap(&(layer->projection), &dfLonWrap);
+ }
+#endif
+
/* -------------------------------------------------------------------- */
/* Loop over all pixels determining which are "in". */
/* -------------------------------------------------------------------- */
@@ -580,8 +593,22 @@ msRasterQueryByRectLow(mapObj *map, layerObj *layer, GDALDatasetH hDS,
/* coordinates if we have a hit */
sReprojectedPixelLocation = sPixelLocation;
if( layer->project )
+ {
+#if PROJ_VERSION_MAJOR < 6
+ /* Works around a bug in PROJ < 6 when reprojecting from a lon_wrap */
+ /* geogCRS to a geogCRS, and the input abs(longitude) is > 180. Then */
+ /* lon_wrap was ignored and the output longitude remained as the source */
+ if( mayNeedLonWrapAdjustment )
+ {
+ if( rlinfo->target_point.x < sReprojectedPixelLocation.x - 180 )
+ sReprojectedPixelLocation.x -= 360;
+ else if( rlinfo->target_point.x > sReprojectedPixelLocation.x + 180 )
+ sReprojectedPixelLocation.x += 360;
+ }
+#endif
msProjectPoint( &(layer->projection), &(map->projection),
&sReprojectedPixelLocation);
+ }
/* If we are doing QueryByShape, check against the shape now */
if( rlinfo->searchshape != NULL ) {
=====================================
mapresample.c
=====================================
@@ -1145,6 +1145,7 @@ static int msTransformMapToSource( int nDstXSize, int nDstYSize,
double dfYMinOut = 0.0;
double dfXMaxOut = 0.0;
double dfYMaxOut = 0.0;
+ const double dfHalfRes = adfDstGeoTransform[1] / 2;
/* Find out average y coordinate in src projection */
for( i = 0; i < nSamples; i++ ) {
@@ -1183,7 +1184,7 @@ static int msTransformMapToSource( int nDstXSize, int nDstYSize,
2, 1, x2, y2, z2 );
msReleaseLock( TLOCK_PROJ );
- if( x2[0] >= dfXMinOut && x2[0] <= dfXMaxOut &&
+ if( x2[0] >= dfXMinOut - dfHalfRes && x2[0] <= dfXMaxOut + dfHalfRes &&
y2[0] >= dfYMinOut && y2[0] <= dfYMaxOut )
{
double x_out = adfInvSrcGeoTransform[0]
@@ -1193,8 +1194,8 @@ static int msTransformMapToSource( int nDstXSize, int nDstYSize,
+ (dfLonWrap-180)*adfInvSrcGeoTransform[4]
+ dfY*adfInvSrcGeoTransform[5];
- /* Does the raster cover a whole 360 deg range ? */
- if( nSrcXSize == (int)(adfInvSrcGeoTransform[1] * 360 + 0.5) )
+ /* Does the raster cover, at least, a whole 360 deg range ? */
+ if( nSrcXSize >= (int)(adfInvSrcGeoTransform[1] * 360) )
{
psSrcExtent->minx = 0;
psSrcExtent->maxx = nSrcXSize;
@@ -1208,8 +1209,8 @@ static int msTransformMapToSource( int nDstXSize, int nDstYSize,
psSrcExtent->maxy = MS_MAX(psSrcExtent->maxy, y_out);
}
- if( x2[1] >= dfXMinOut && x2[1] <= dfXMaxOut &&
- x2[1] >= dfYMinOut && y2[1] <= dfYMaxOut )
+ if( x2[1] >= dfXMinOut - dfHalfRes && x2[1] <= dfXMaxOut + dfHalfRes &&
+ y2[1] >= dfYMinOut && y2[1] <= dfYMaxOut )
{
double x_out = adfInvSrcGeoTransform[0]
+ (dfLonWrap+180)*adfInvSrcGeoTransform[1]
@@ -1218,8 +1219,8 @@ static int msTransformMapToSource( int nDstXSize, int nDstYSize,
+ (dfLonWrap+180)*adfInvSrcGeoTransform[4]
+ dfY*adfInvSrcGeoTransform[5];
- /* Does the raster cover a whole 360 deg range ? */
- if( nSrcXSize == (int)(adfInvSrcGeoTransform[1] * 360 + 0.5) )
+ /* Does the raster cover, at least, a whole 360 deg range ? */
+ if( nSrcXSize >= (int)(adfInvSrcGeoTransform[1] * 360) )
{
psSrcExtent->minx = 0;
psSrcExtent->maxx = nSrcXSize;
=====================================
mapscript/php/mapscript_error.c
=====================================
@@ -35,8 +35,6 @@
#include <stdarg.h>
#include "../../maperror.h"
-#define MAX_EXCEPTION_MSG 256
-
zend_class_entry *mapscript_ce_mapscriptexception;
#if PHP_VERSION_ID >= 70000
@@ -46,9 +44,10 @@ zval* mapscript_throw_exception(char *format TSRMLS_DC, ...)
#endif
{
va_list args;
- char message[MAX_EXCEPTION_MSG];
+ char message[MESSAGELENGTH];
va_start(args, format);
- vsprintf(message, format, args);
+ //prevent buffer overflow
+ vsnprintf(message, MESSAGELENGTH, format, args);
va_end(args);
return zend_throw_exception(mapscript_ce_mapscriptexception, message, 0 TSRMLS_CC);
}
@@ -60,7 +59,7 @@ zval* mapscript_throw_mapserver_exception(char *format TSRMLS_DC, ...)
#endif
{
va_list args;
- char message[MAX_EXCEPTION_MSG];
+ char message[MESSAGELENGTH];
errorObj *ms_error;
ms_error = msGetErrorObj();
@@ -73,17 +72,20 @@ zval* mapscript_throw_mapserver_exception(char *format TSRMLS_DC, ...)
}
va_start(args, format);
- vsprintf(message, format, args);
+ //prevent buffer overflow
+ vsnprintf(message, MESSAGELENGTH, format, args);
va_end(args);
- return mapscript_throw_exception(message TSRMLS_CC);
+ //prevent format string attack
+ return mapscript_throw_exception("%s", message TSRMLS_CC);
}
void mapscript_report_php_error(int error_type, char *format TSRMLS_DC, ...)
{
va_list args;
- char message[MAX_EXCEPTION_MSG];
+ char message[MESSAGELENGTH];
va_start(args, format);
- vsprintf(message, format, args);
+ //prevent buffer overflow
+ vsnprintf(message, MESSAGELENGTH, format, args);
va_end(args);
php_error_docref(NULL TSRMLS_CC, error_type, "%s,", message);
}
=====================================
mapsymbol.c
=====================================
@@ -558,6 +558,7 @@ int loadSymbolSet(symbolSetObj *symbolset, mapObj *map)
char szPath[MS_MAXPATHLEN], *pszSymbolPath=NULL;
int foundSymbolSetToken=MS_FALSE;
+ int symbolSetLevel=0;
int token;
if(!symbolset) {
@@ -598,12 +599,20 @@ int loadSymbolSet(symbolSetObj *symbolset, mapObj *map)
switch(token) {
case(END):
+ if (--symbolSetLevel < 0) {
+ msSetError(MS_IDENTERR, "END token found outside SYMBOLSET context. When nesting multiple SYMBOLSETs, make sure the SYMBOLSET/END pairs match.", "msLoadSymbolSet()");
+ status = -1;
+ }
+ break;
case(EOF):
status = 0;
break;
case(SYMBOL):
/* Allocate/init memory for new symbol if needed */
- if (msGrowSymbolSet(symbolset) == NULL) {
+ if (symbolSetLevel == 0) {
+ msSetError(MS_IDENTERR, "SYMBOL token found outside SYMBOLSET context. When nesting multiple SYMBOLSETs, make sure the SYMBOLSET/END pairs match.", "msLoadSymbolSet()");
+ status = -1;
+ } else if (msGrowSymbolSet(symbolset) == NULL) {
status = -1;
} else if((loadSymbol((symbolset->symbol[symbolset->numsymbols]), pszSymbolPath) == -1))
status = -1;
@@ -612,6 +621,7 @@ int loadSymbolSet(symbolSetObj *symbolset, mapObj *map)
break;
case(SYMBOLSET):
foundSymbolSetToken = MS_TRUE;
+ symbolSetLevel++;
break;
default:
msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "loadSymbolSet()", msyystring_buffer, msyylineno);
=====================================
mapwfslayer.c
=====================================
@@ -256,7 +256,7 @@ static char *msBuildWFSLayerPostRequest(mapObj *map, layerObj *lp,
"</ogc:Filter>", pszGeometryName, bbox->minx, bbox->miny, bbox->maxx, bbox->maxy);
}
- bufferSize = strlen(pszFilter)+500;
+ bufferSize = strlen(pszFilter)+strlen(psParams->pszTypeName)+500;
pszPostReq = (char *)msSmallMalloc(bufferSize);
if (psParams->nMaxFeatures > 0)
snprintf(pszPostReq, bufferSize, "<?xml version=\"1.0\" ?>\n"
@@ -1295,4 +1295,3 @@ msWFSLayerInitializeVirtualTable(layerObj *layer)
return MS_SUCCESS;
}
-
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/8179fd38128411f4e3181e05108ea63b9c8454dd...80796225420ae2de822b4d211b9a182d7768b83e
--
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/8179fd38128411f4e3181e05108ea63b9c8454dd...80796225420ae2de822b4d211b9a182d7768b83e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20200320/f264ed0c/attachment-0001.html>
More information about the Pkg-grass-devel
mailing list