[DebianGIS-dev] r2355 - in packages/mapserver/branches/etch/4.10.0/debian: . patches
aboudreault-guest at alioth.debian.org
aboudreault-guest at alioth.debian.org
Tue Jul 14 17:58:34 UTC 2009
Author: aboudreault-guest
Date: 2009-07-14 17:58:33 +0000 (Tue, 14 Jul 2009)
New Revision: 2355
Added:
packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch
packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch
packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch
packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch
packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch
packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch
packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch
Removed:
packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch
Modified:
packages/mapserver/branches/etch/4.10.0/debian/changelog
packages/mapserver/branches/etch/4.10.0/debian/patches/00list
Log:
Security patch for etch
Modified: packages/mapserver/branches/etch/4.10.0/debian/changelog
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/changelog 2009-07-14 15:33:49 UTC (rev 2354)
+++ packages/mapserver/branches/etch/4.10.0/debian/changelog 2009-07-14 17:58:33 UTC (rev 2355)
@@ -1,12 +1,26 @@
-mapserver (4.10.0-5+etch2) stable-security; urgency=high
+mapserver (4.10.0-5.1+etch3) stable-security; urgency=high
- * Fixed XSS vulnerabilities.
- - Added 80_xss.dpatch. Patch provided by upstream with minor modifications
- to apply correctly.
- [http://trac.osgeo.org/mapserver/ticket/2256]
+ * Fix stack-based buffer overflow (CVE-2009-0839).
+ * Fix heap-based buffer underflow (CVE-2009-0840, CVE-2009-2281).
+ * Fix relative file path writing (CVE-2009-0841).
+ * Fix file data leakage (CVE-2009-0842).
+ * Fix file existence leakage (CVE-2009-0843).
- -- Andreas Putzo <andreas at putzo.net> Tue, 28 Aug 2007 20:19:05 +0000
+ -- Alan Boudreault <aboudreault at mapgears.com> Tue, 14 Jul 2009 10:00:12 -0400
+mapserver (4.10.0-5.1+etch2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Apply upstream patches fixing two vulnerabilities:
+ - CVE-2007-4542: Cross-site scripting (XSS) vulnerabilities using
+ mapserver's writeError function (upstream fix also addresses
+ a potential buffer overflow)
+ - CVE-2007-4629: Multiple stack buffer overflow vulnerabilities
+ in template handlers, potentially allowing the execution of
+ arbitrary code via a maliciously crafted map file
+
+ -- Devin Carraway <devin at debian.org> Tue, 1 Apr 2008 08:00:05 +0000
+
mapserver (4.10.0-5+etch1) testing; urgency=low
* debian/po/ja.po: added, thanks to Kobayashi Noritada. (Closes: #413119)
Modified: packages/mapserver/branches/etch/4.10.0/debian/patches/00list
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/00list 2009-07-14 15:33:49 UTC (rev 2354)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/00list 2009-07-14 17:58:33 UTC (rev 2355)
@@ -1,4 +1,10 @@
20_php_build
50_clean
70_ptrreturn
-80_xss
+80_CVE-2007-4542.dpatch
+81_CVE-2007-4629.dpatch
+82_CVE-2009-0839
+83_CVE-2009-0840-CVE-2009-2281
+84_CVE-2009-0841
+85_CVE-2009-0842
+86_CVE-2009-0843
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch (rev 0)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -0,0 +1,72 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 80_CVE-2007-4542.dpatch by Devin Carraway <devin at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream patch for CVE-2007-4542, fixing overflows in template
+## DP: handlers and an XSS vulnerability.
+
+
+ at DPATCH@
+Index: maptemplate.c
+===================================================================
+--- a/maptemplate.c (revision 6672)
++++ b/maptemplate.c (working copy)
+@@ -2790,10 +2790,15 @@
+ } /* end query mode specific substitutions */
+
+ for(i=0;i<msObj->request->NumParams;i++) {
+- sprintf(substr, "[%s]", msObj->request->ParamNames[i]);
+- outstr = gsub(outstr, substr, msObj->request->ParamValues[i]);
+- sprintf(substr, "[%s_esc]", msObj->request->ParamNames[i]);
++ /* Replace [variable] tags using values from URL. We cannot offer a
++ * [variable_raw] option here due to the risk of XSS
++ */
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s]", msObj->request->ParamNames[i]);
++ encodedstr = msEncodeHTMLEntities(msObj->request->ParamValues[i]);
++ outstr = gsub(outstr, substr, encodedstr);
++ free(encodedstr);
+
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_esc]", msObj->request->ParamNames[i]);
+ encodedstr = msEncodeUrl(msObj->request->ParamValues[i]);
+ outstr = gsub(outstr, substr, encodedstr);
+ free(encodedstr);
+Index: mapserv.c
+===================================================================
+--- a/mapserv.c (revision 6672)
++++ b/mapserv.c (working copy)
+@@ -177,7 +177,7 @@
+ msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
+ msIO_printf("<!-- %s -->\n", msGetVersion());
+ msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
+- msWriteError(stdout);
++ msWriteErrorXML(stdout);
+ msIO_printf("</BODY></HTML>");
+ msCleanup();
+ exit(0);
+@@ -191,7 +191,7 @@
+ msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
+ msIO_printf("<!-- %s -->\n", msGetVersion());
+ msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
+- msWriteError(stdout);
++ msWriteErrorXML(stdout);
+ msIO_printf("</BODY></HTML>");
+ }
+ } else {
+@@ -203,7 +203,7 @@
+ msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
+ msIO_printf("<!-- %s -->\n", msGetVersion());
+ msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
+- msWriteError(stdout);
++ msWriteErrorXML(stdout);
+ msIO_printf("</BODY></HTML>");
+ }
+ } else {
+@@ -212,7 +212,7 @@
+ msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
+ msIO_printf("<!-- %s -->\n", msGetVersion());
+ msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
+- msWriteError(stdout);
++ msWriteErrorXML(stdout);
+ msIO_printf("</BODY></HTML>");
+ }
+ }
Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/80_CVE-2007-4542.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Deleted: packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch 2009-07-14 15:33:49 UTC (rev 2354)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/80_xss.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -1,78 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 80_xss.dpatch by Andreas Putzo <andreas at putzo.net>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix XSS vulnerabilities.
-## DP: http://trac.osgeo.org/mapserver/ticket/2256
-
- at DPATCH@
-diff -urNad mapserver-4.10.0~/HISTORY.TXT mapserver-4.10.0/HISTORY.TXT
---- mapserver-4.10.0~/HISTORY.TXT 2006-10-02 17:30:32.000000000 +0000
-+++ mapserver-4.10.0/HISTORY.TXT 2007-08-28 19:53:30.000000000 +0000
-@@ -16,6 +16,8 @@
- Version 4.10.0 (2006-10-04)
- ---------------------------
-
-+- Fixed XSS vulnerabilities (#2256)
-+
- - No source code changes since 4.10.0-rc1
-
- Known issues in 4.10.0:
-diff -urNad mapserver-4.10.0~/mapserv.c mapserver-4.10.0/mapserv.c
---- mapserver-4.10.0~/mapserv.c 2006-08-29 01:56:53.000000000 +0000
-+++ mapserver-4.10.0/mapserv.c 2007-08-28 19:53:30.000000000 +0000
-@@ -183,7 +183,7 @@
- msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
- msIO_printf("<!-- %s -->\n", msGetVersion());
- msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
-- msWriteError(stdout);
-+ msWriteErrorXML(stdout);
- msIO_printf("</BODY></HTML>");
- msFreeMapServObj(msObj);
- msCleanup();
-@@ -198,7 +198,7 @@
- msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
- msIO_printf("<!-- %s -->\n", msGetVersion());
- msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
-- msWriteError(stdout);
-+ msWriteErrorXML(stdout);
- msIO_printf("</BODY></HTML>");
- }
- } else {
-@@ -210,7 +210,7 @@
- msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
- msIO_printf("<!-- %s -->\n", msGetVersion());
- msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
-- msWriteError(stdout);
-+ msWriteErrorXML(stdout);
- msIO_printf("</BODY></HTML>");
- }
- } else {
-@@ -219,7 +219,7 @@
- msIO_printf("<HEAD><TITLE>MapServer Message</TITLE></HEAD>\n");
- msIO_printf("<!-- %s -->\n", msGetVersion());
- msIO_printf("<BODY BGCOLOR=\"#FFFFFF\">\n");
-- msWriteError(stdout);
-+ msWriteErrorXML(stdout);
- msIO_printf("</BODY></HTML>");
- }
- }
-diff -urNad mapserver-4.10.0~/maptemplate.c mapserver-4.10.0/maptemplate.c
---- mapserver-4.10.0~/maptemplate.c 2006-09-29 20:52:05.000000000 +0000
-+++ mapserver-4.10.0/maptemplate.c 2007-08-28 19:53:30.000000000 +0000
-@@ -2965,10 +2965,12 @@
- } /* end query mode specific substitutions */
-
- for(i=0;i<msObj->request->NumParams;i++) {
-- sprintf(substr, "[%s]", msObj->request->ParamNames[i]);
-- outstr = gsub(outstr, substr, msObj->request->ParamValues[i]);
-- sprintf(substr, "[%s_esc]", msObj->request->ParamNames[i]);
-+ snprintf(substr, PROCESSLINE_BUFLEN, "[%s]", msObj->request->ParamNames[i]);
-+ encodedstr = msEncodeHTMLEntities(msObj->request->ParamValues[i]);
-+ outstr = gsub(outstr, substr, encodedstr);
-+ free(encodedstr);
-
-+ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_esc]", msObj->request->ParamNames[i]);
- encodedstr = msEncodeUrl(msObj->request->ParamValues[i]);
- outstr = gsub(outstr, substr, encodedstr);
- free(encodedstr);
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch (rev 0)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -0,0 +1,131 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 81_CVE-2007-4629.dpatch by Devin Carraway <devin at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream patch for CVE-2007-4629, fixing buffer overflows
+## DP: in template handlers.
+
+
+ at DPATCH@
+Index: /branches/branch-4-10/mapserver/HISTORY.TXT
+===================================================================
+--- mapserver/maptemplate.c (revision 6043)
++++ mapserver/maptemplate.c (revision 6668)
+@@ -2602,26 +2602,26 @@
+ if(isOn(msObj, msObj->Map->layers[i].name, msObj->Map->layers[i].group) == MS_TRUE) {
+ if(msObj->Map->layers[i].group) {
+- sprintf(substr, "[%s_select]", msObj->Map->layers[i].group);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].group);
+ outstr = gsub(outstr, substr, "selected=\"selected\"");
+- sprintf(substr, "[%s_check]", msObj->Map->layers[i].group);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].group);
+ outstr = gsub(outstr, substr, "checked=\"checked\"");
+ }
+ if(msObj->Map->layers[i].name) {
+- sprintf(substr, "[%s_select]", msObj->Map->layers[i].name);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].name);
+ outstr = gsub(outstr, substr, "selected=\"selected\"");
+- sprintf(substr, "[%s_check]", msObj->Map->layers[i].name);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].name);
+ outstr = gsub(outstr, substr, "checked=\"checked\"");
+ }
+ } else {
+ if(msObj->Map->layers[i].group) {
+- sprintf(substr, "[%s_select]", msObj->Map->layers[i].group);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].group);
+ outstr = gsub(outstr, substr, "");
+- sprintf(substr, "[%s_check]", msObj->Map->layers[i].group);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].group);
+ outstr = gsub(outstr, substr, "");
+ }
+ if(msObj->Map->layers[i].name) {
+- sprintf(substr, "[%s_select]", msObj->Map->layers[i].name);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_select]", msObj->Map->layers[i].name);
+ outstr = gsub(outstr, substr, "");
+- sprintf(substr, "[%s_check]", msObj->Map->layers[i].name);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_check]", msObj->Map->layers[i].name);
+ outstr = gsub(outstr, substr, "");
+ }
+@@ -2667,7 +2667,7 @@
+ if (msObj->Map->web.metadata.items[j] != NULL) {
+ for(tp=msObj->Map->web.metadata.items[j]; tp!=NULL; tp=tp->next) {
+- sprintf(substr, "[web_%s]", tp->key);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[web_%s]", tp->key);
+ outstr = gsub(outstr, substr, tp->data);
+- sprintf(substr, "[web_%s_esc]", tp->key);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[web_%s_esc]", tp->key);
+
+ encodedstr = msEncodeUrl(tp->data);
+@@ -2685,10 +2685,10 @@
+ if(msObj->Map->layers[i].metadata.items[j] != NULL) {
+ for(tp=msObj->Map->layers[i].metadata.items[j]; tp!=NULL; tp=tp->next) {
+- sprintf(substr, "[%s_%s]", msObj->Map->layers[i].name, tp->key);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s]", msObj->Map->layers[i].name, tp->key);
+ if(msObj->Map->layers[i].status == MS_ON)
+ outstr = gsub(outstr, substr, tp->data);
+ else
+ outstr = gsub(outstr, substr, "");
+- sprintf(substr, "[%s_%s_esc]", msObj->Map->layers[i].name, tp->key);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s_esc]", msObj->Map->layers[i].name, tp->key);
+ if(msObj->Map->layers[i].status == MS_ON) {
+ encodedstr = msEncodeUrl(tp->data);
+@@ -2848,8 +2848,8 @@
+ if(msObj->ResultLayer->metadata.items[i] != NULL) {
+ for(tp=msObj->ResultLayer->metadata.items[i]; tp!=NULL; tp=tp->next) {
+- sprintf(substr, "[metadata_%s]", tp->key);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[metadata_%s]", tp->key);
+ outstr = gsub(outstr, substr, tp->data);
+
+- sprintf(substr, "[metadata_%s_esc]", tp->key);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[metadata_%s_esc]", tp->key);
+ encodedstr = msEncodeUrl(tp->data);
+ outstr = gsub(outstr, substr, encodedstr);
+@@ -2905,5 +2905,5 @@
+ for(i=0;i<msObj->ResultLayer->numitems;i++) {
+ /* by default let's encode attributes for HTML presentation */
+- sprintf(substr, "[%s]", msObj->ResultLayer->items[i]);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s]", msObj->ResultLayer->items[i]);
+ if(strstr(outstr, substr) != NULL) {
+ encodedstr = msEncodeHTMLEntities(msObj->ResultShape.values[i]);
+@@ -2913,5 +2913,5 @@
+
+ /* of course you might want to embed that data in URLs */
+- sprintf(substr, "[%s_esc]", msObj->ResultLayer->items[i]);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_esc]", msObj->ResultLayer->items[i]);
+ if(strstr(outstr, substr) != NULL) {
+ encodedstr = msEncodeUrl(msObj->ResultShape.values[i]);
+@@ -2921,5 +2921,5 @@
+
+ /* or you might want to access the attributes unaltered */
+- sprintf(substr, "[%s_raw]", msObj->ResultLayer->items[i]);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_raw]", msObj->ResultLayer->items[i]);
+ if(strstr(outstr, substr) != NULL)
+ outstr = gsub(outstr, substr, msObj->ResultShape.values[i]);
+@@ -2934,5 +2934,5 @@
+ for(j=0;j<msObj->ResultLayer->joins[i].numitems;j++) {
+ /* by default let's encode attributes for HTML presentation */
+- sprintf(substr, "[%s_%s]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]);
+ if(strstr(outstr, substr) != NULL) {
+ encodedstr = msEncodeHTMLEntities(msObj->ResultLayer->joins[i].values[j]);
+@@ -2942,5 +2942,5 @@
+
+ /* of course you might want to embed that data in URLs */
+- sprintf(substr, "[%s_%s_esc]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s_esc]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]);
+ if(strstr(outstr, substr) != NULL) {
+ encodedstr = msEncodeUrl(msObj->ResultLayer->joins[i].values[j]);
+@@ -2950,5 +2950,5 @@
+
+ /* or you might want to access the attributes unaltered */
+- sprintf(substr, "[%s_%s_raw]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[%s_%s_raw]", msObj->ResultLayer->joins[i].name, msObj->ResultLayer->joins[i].items[j]);
+ if(strstr(outstr, substr) != NULL)
+ outstr = gsub(outstr, substr, msObj->ResultLayer->joins[i].values[j]);
+@@ -2957,5 +2957,5 @@
+ char *joinTemplate=NULL;
+
+- sprintf(substr, "[join_%s]", msObj->ResultLayer->joins[i].name);
++ snprintf(substr, PROCESSLINE_BUFLEN, "[join_%s]", msObj->ResultLayer->joins[i].name);
+ if(strstr(outstr, substr) != NULL) {
+ joinTemplate = processOneToManyJoin(msObj, &(msObj->ResultLayer->joins[i]));
Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/81_CVE-2007-4629.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch (rev 0)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -0,0 +1,281 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 82_CVE-2009-0839.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-4.10.0~/map.h mapserver-4.10.0/map.h
+--- mapserver-4.10.0~/map.h 2006-10-04 10:54:49.000000000 -0400
++++ mapserver-4.10.0/map.h 2009-07-14 13:06:22.521857713 -0400
+@@ -242,7 +242,9 @@
+ /* General defines, not wrapable */
+ #ifndef SWIG
+ #define MS_DEFAULT_MAPFILE_PATTERN "\\.map$"
+-#define MS_TEMPLATE_EXPR "\\.(jsp|asp|cfm|xml|wml|html|htm|shtml|phtml|php|svg)$"
++
++#define MS_TEMPLATE_MAGIC_STRING "MapServer Template"
++#define MS_TEMPLATE_EXPR "\\.(xml|wml|html|htm|svg|kml|gml|js|tmpl)$"
+
+ #define MS_INDEX_EXTENSION ".qix"
+ #define MS_QUERY_EXTENSION ".qy"
+@@ -1482,6 +1484,7 @@
+ MS_DLL_EXPORT char *msJoinStrings(char **array, int arrayLength, const char *delimeter);
+ MS_DLL_EXPORT char *msHashString(const char *pszStr);
+ MS_DLL_EXPORT char *msCommifyString(char *str);
++MS_DLL_EXPORT const char *msCaseFindSubstring(const char *haystack, const char *needle);
+
+ #ifdef NEED_STRDUP
+ MS_DLL_EXPORT char *strdup(char *s);
+diff -urNad mapserver-4.10.0~/mapserv.c mapserver-4.10.0/mapserv.c
+--- mapserver-4.10.0~/mapserv.c 2006-08-28 21:56:53.000000000 -0400
++++ mapserver-4.10.0/mapserv.c 2009-07-14 13:06:22.521857713 -0400
+@@ -278,8 +278,21 @@
+ } else {
+ if(getenv(msObj->request->ParamValues[i])) /* an environment references the actual file to use */
+ map = msLoadMap(getenv(msObj->request->ParamValues[i]), NULL);
+- else
++ else {
++ /* by here we know the request isn't for something in an environment variable */
++ if(getenv("MS_MAP_NO_PATH")) {
++ msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "loadMap()");
++ writeError();
++ }
++
++ if(getenv("MS_MAP_PATTERN") && msEvalRegex(getenv("MS_MAP_PATTERN"), msObj->request->ParamValues[i]) != MS_TRUE) {
++ msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "loadMap()");
++ writeError();
++ }
++
++ /* ok to try to load now */
+ map = msLoadMap(msObj->request->ParamValues[i], NULL);
++ }
+ }
+
+ if(!map) writeError();
+@@ -415,6 +428,10 @@
+ }
+
+ if(strcasecmp(msObj->request->ParamNames[i],"id") == 0) {
++ if(msEvalRegex(IDPATTERN, msObj->request->ParamValues[i]) == MS_FALSE) {
++ msSetError(MS_WEBERR, "Parameter 'id' value fails to validate.", "loadMap()");
++ writeError();
++ }
+ strncpy(msObj->Id, msObj->request->ParamValues[i], IDSIZE);
+ continue;
+ }
+@@ -1238,7 +1255,7 @@
+ loadForm();
+
+ if(msObj->SaveMap) {
+- sprintf(buffer, "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id);
++ snprintf(buffer, sizeof(buffer), "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id);
+ if(msSaveMap(msObj->Map, buffer) == -1) writeError();
+ }
+
+diff -urNad mapserver-4.10.0~/mapstring.c mapserver-4.10.0/mapstring.c
+--- mapserver-4.10.0~/mapstring.c 2006-08-16 10:05:07.000000000 -0400
++++ mapserver-4.10.0/mapstring.c 2009-07-14 13:06:22.521857713 -0400
+@@ -933,3 +933,34 @@
+
+ return str;
+ }
++
++/************************************************************************/
++/* case incensitive equivalent of strstr */
++/************************************************************************/
++const char *msCaseFindSubstring(const char *haystack, const char *needle)
++{
++ if ( !*needle )
++ {
++ return haystack;
++ }
++ for ( ; *haystack; ++haystack )
++ {
++ if ( toupper(*haystack) == toupper(*needle) )
++ {
++ /* * Matched starting char -- loop through remaining chars. */
++ const char *h, *n;
++ for ( h = haystack, n = needle; *h && *n; ++h, ++n )
++ {
++ if ( toupper(*h) != toupper(*n) )
++ {
++ break;
++ }
++ }
++ if ( !*n ) /* matched all of 'needle' to null termination */
++ {
++ return haystack; /* return the start of the match */
++ }
++ }
++ }
++ return 0;
++}
+diff -urNad mapserver-4.10.0~/maptemplate.c mapserver-4.10.0/maptemplate.c
+--- mapserver-4.10.0~/maptemplate.c 2006-09-29 16:52:05.000000000 -0400
++++ mapserver-4.10.0/maptemplate.c 2009-07-14 13:06:22.521857713 -0400
+@@ -130,6 +130,20 @@
+
+ char *processLine(mapservObj* msObj, char* instr, int mode);
+
++static int isValidTemplate(FILE *stream, const char *filename)
++{
++ char buffer[MS_BUFFER_LENGTH];
++
++ if(fgets(buffer, MS_BUFFER_LENGTH, stream) != NULL) {
++ if(!msCaseFindSubstring(buffer, MS_TEMPLATE_MAGIC_STRING)) {
++ msSetError(MS_WEBERR, "Missing magic string, %s doesn't look like a MapServer template.", "isValidTemplate()", filename);
++ return MS_FALSE;
++ }
++ }
++
++ return MS_TRUE;
++}
++
+ /*
+ * Redirect to (only use in CGI)
+ *
+@@ -293,7 +307,7 @@
+ img = msDrawQueryMap(msObj->Map);
+ if(!img) return MS_FAILURE;
+
+- snprintf(buffer, 1024, "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+
+ status = msSaveImage(msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+@@ -304,7 +318,7 @@
+ {
+ img = msDrawLegend(msObj->Map, MS_FALSE);
+ if(!img) return MS_FAILURE;
+- snprintf(buffer, 1024, "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ status = msSaveImage(msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+ msFreeImage(img);
+@@ -314,7 +328,7 @@
+ {
+ img = msDrawScalebar(msObj->Map);
+ if(!img) return MS_FAILURE;
+- snprintf(buffer, 1024, "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ status = msSaveImage( msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+ msFreeImage(img);
+@@ -324,7 +338,7 @@
+ {
+ img = msDrawReferenceMap(msObj->Map);
+ if(!img) return MS_FAILURE;
+- snprintf(buffer, 1024, "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ status = msSaveImage(msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+ msFreeImage(img);
+@@ -2446,6 +2460,11 @@
+ return(NULL);
+ }
+
++ if(isValidTemplate(stream, join->header) != MS_TRUE) {
++ fclose(stream);
++ return NULL;
++ }
++
+ /* echo file to the output buffer, no substitutions */
+ while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = strcatalloc(outbuf, line);
+
+@@ -2455,8 +2474,13 @@
+ if((stream = fopen(msBuildPath(szPath, msObj->Map->mappath, join->template), "r")) == NULL) {
+ msSetError(MS_IOERR, "Error while opening join template file %s.", "processOneToManyJoin()", join->template);
+ return(NULL);
+- }
++ }
+
++ if(isValidTemplate(stream, join->header) != MS_TRUE) {
++ fclose(stream);
++ return NULL;
++ }
++
+ records = MS_TRUE;
+ }
+
+@@ -2471,6 +2495,7 @@
+ }
+
+ rewind(stream);
++ fgets(line, MS_BUFFER_LENGTH, stream); /* skip the first line since it's the magic string */
+ } /* next record */
+
+ if(records==MS_TRUE && join->footer) {
+@@ -2479,6 +2504,11 @@
+ return(NULL);
+ }
+
++ if(isValidTemplate(stream, join->footer) != MS_TRUE) {
++ fclose(stream);
++ return NULL;
++ }
++
+ /* echo file to the output buffer, no substitutions */
+ while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = strcatalloc(outbuf, line);
+
+@@ -3007,6 +3037,11 @@
+ return MS_FAILURE;
+ }
+
++ if(isValidTemplate(stream, html) != MS_TRUE) {
++ fclose(stream);
++ return MS_FAILURE;
++ }
++
+ if (papszBuffer)
+ {
+ if ((*papszBuffer) == NULL)
+@@ -3411,7 +3446,7 @@
+ image = msDrawMap(msObj->Map);
+
+ if(image) {
+- sprintf(buffer, "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+
+ if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) {
+ msFreeImage(image);
+@@ -3429,7 +3464,7 @@
+ imageObj *image = NULL;
+ image = msDrawLegend(msObj->Map, MS_FALSE);
+ if(image) {
+- sprintf(buffer, "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+
+ if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) {
+ msFreeImage(image);
+@@ -3447,7 +3482,7 @@
+ imageObj *image = NULL;
+ image = msDrawScalebar(msObj->Map);
+ if(image) {
+- sprintf(buffer, "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) {
+ msFreeImage(image);
+ return MS_FALSE;
+@@ -3464,7 +3499,7 @@
+ imageObj *image;
+ image = msDrawReferenceMap(msObj->Map);
+ if(image) {
+- sprintf(buffer, "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ if(msSaveImage(msObj->Map, image, buffer) != MS_SUCCESS && bReturnOnError) {
+ msFreeImage(image);
+ return MS_FALSE;
+diff -urNad mapserver-4.10.0~/maptemplate.h mapserver-4.10.0/maptemplate.h
+--- mapserver-4.10.0~/maptemplate.h 2005-06-14 12:03:35.000000000 -0400
++++ mapserver-4.10.0/maptemplate.h 2009-07-14 13:06:22.521857713 -0400
+@@ -45,7 +45,8 @@
+ #include "map.h"
+ #include "maphash.h"
+
+-#define IDSIZE 128
++#define IDPATTERN "^[0-9A-Za-z]{1,63}$"
++#define IDSIZE 64
+ #define TEMPLATE_TYPE(s) (((strncmp("http://", s, 7) == 0) || (strncmp("https://", s, 8) == 0) || (strncmp("ftp://", s, 6)) == 0) ? MS_URL : MS_FILE)
+ #define MAXZOOM 25
+ #define MINZOOM -25
Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/82_CVE-2009-0839.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch (rev 0)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -0,0 +1,88 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 83_CVE-2009-0840-CVE-2009-2281.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-4.10.0~/cgiutil.c mapserver-4.10.0/cgiutil.c
+--- mapserver-4.10.0~/cgiutil.c 2006-08-28 21:56:53.000000000 -0400
++++ mapserver-4.10.0/cgiutil.c 2009-07-14 13:08:18.430607176 -0400
+@@ -69,7 +69,8 @@
+ static char *readPostBody( cgiRequestObj *request )
+ {
+ char *data;
+- int data_max, data_len, chunk_size;
++ size_t data_max, data_len;
++ int chunk_size;
+
+ msIO_needBinaryStdin();
+
+@@ -79,12 +80,19 @@
+ if( getenv("CONTENT_LENGTH") != NULL )
+ {
+
+- data_max = atoi(getenv("CONTENT_LENGTH"));
++ data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
++ /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
++ if( data_max >= SIZE_MAX )
++ {
++ msIO_printf("Content-type: text/html%c%c",10,10);
++ msIO_printf("Suspicious Content-Length.\n");
++ exit( 1 );
++ }
+ data = (char *) malloc(data_max+1);
+ if( data == NULL )
+ {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n",
++ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n",
+ data_max );
+ exit( 1 );
+ }
+@@ -101,7 +109,9 @@
+ /* -------------------------------------------------------------------- */
+ /* Otherwise read in chunks to the end. */
+ /* -------------------------------------------------------------------- */
+- data_max = 10000;
++#define DATA_ALLOC_SIZE 10000
++
++ data_max = DATA_ALLOC_SIZE;
+ data_len = 0;
+ data = (char *) malloc(data_max+1);
+
+@@ -112,13 +122,21 @@
+
+ if( data_len == data_max )
+ {
+- data_max = data_max + 10000;
++ /* Realloc buffer, making sure we check for possible size_t overflow */
++ if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) )
++ {
++ msIO_printf("Content-type: text/html%c%c",10,10);
++ msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
++ exit(1);
++ }
++
++ data_max = data_max + DATA_ALLOC_SIZE;
+ data = (char *) realloc(data, data_max+1);
+
+ if( data == NULL )
+ {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
++ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
+ exit(1);
+ }
+ }
+diff -urNad mapserver-4.10.0~/map.h mapserver-4.10.0/map.h
+--- mapserver-4.10.0~/map.h 2006-10-04 10:54:49.000000000 -0400
++++ mapserver-4.10.0/map.h 2009-07-14 13:08:18.430607176 -0400
+@@ -153,6 +153,7 @@
+ #include <malloc.h>
+ #else
+ #include <unistd.h>
++#include <stdint.h>
+ #endif
+
+ #ifndef DISABLE_CVSID
Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/83_CVE-2009-0840-CVE-2009-2281.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch (rev 0)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 84_CVE-2009-0841.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-4.10.0~/mapserv.c mapserver-4.10.0/mapserv.c
+--- mapserver-4.10.0~/mapserv.c 2006-08-28 21:56:53.000000000 -0400
++++ mapserver-4.10.0/mapserv.c 2009-07-14 13:10:06.254163494 -0400
+@@ -1595,7 +1595,7 @@
+ if (msReturnTemplateQuery(msObj, msObj->Map->web.queryformat, NULL) != MS_SUCCESS) writeError();
+
+ if(msObj->SaveQuery) {
+- sprintf(buffer, "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION);
++ snprintf(buffer, sizeof(buffer), "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION);
+ if((status = msSaveQuery(msObj->Map, buffer)) != MS_SUCCESS) return status;
+ }
+ }
Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/84_CVE-2009-0841.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch (rev 0)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -0,0 +1,126 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 85_CVE-2009-0842.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-4.10.0~/mapfile.c mapserver-4.10.0/mapfile.c
+--- mapserver-4.10.0~/mapfile.c 2006-08-31 22:30:15.000000000 -0400
++++ mapserver-4.10.0/mapfile.c 2009-07-14 13:11:33.301856800 -0400
+@@ -4543,6 +4543,9 @@
+ int i,j,k;
+ char szPath[MS_MAXPATHLEN], szCWDPath[MS_MAXPATHLEN];
+
++ int foundMapToken=MS_FALSE;
++ int token;
++
+ if(!filename) {
+ msSetError(MS_MISCERR, "Filename is undefined.", "msLoadMap()");
+ return(NULL);
+@@ -4592,7 +4595,14 @@
+
+ for(;;) {
+
+- switch(msyylex()) {
++ token = msyylex();
++
++ if(!foundMapToken && token != MAP) {
++ msSetError(MS_IDENTERR, "First token must be MAP, this doesn't look like a mapfile.", "msLoadMap()");
++ return(NULL);
++ }
++
++ switch(token) {
+
+ case(CONFIG):
+ {
+@@ -4717,7 +4727,8 @@
+ if(loadLegend(&(map->legend), map) == -1) return(NULL);
+ break;
+ case(MAP):
+- break;
++ foundMapToken = MS_TRUE;
++ break;
+ case(MAXSIZE):
+ if(getInteger(&(map->maxsize)) == -1) return(NULL);
+ break;
+diff -urNad mapserver-4.10.0~/mapsymbol.c mapserver-4.10.0/mapsymbol.c
+--- mapserver-4.10.0~/mapsymbol.c 2006-07-22 23:28:45.000000000 -0400
++++ mapserver-4.10.0/mapsymbol.c 2009-07-14 13:11:33.301856800 -0400
+@@ -632,7 +632,7 @@
+ int msLoadSymbolSet(symbolSetObj *symbolset, mapObj *map)
+ {
+ int retval = MS_FAILURE;
+-
++
+ msAcquireLock( TLOCK_PARSER );
+ retval = loadSymbolSet( symbolset, map );
+ msReleaseLock( TLOCK_PARSER );
+@@ -647,6 +647,9 @@
+ int status=1;
+ char szPath[MS_MAXPATHLEN], *pszSymbolPath=NULL;
+
++ int foundSymbolSetToken=MS_FALSE;
++ int token;
++
+ if(!symbolset) {
+ msSetError(MS_SYMERR, "Symbol structure unallocated.", "loadSymbolSet()");
+ return(-1);
+@@ -673,7 +676,15 @@
+ ** Read the symbol file
+ */
+ for(;;) {
+- switch(msyylex()) {
++
++ token = msyylex();
++
++ if(!foundSymbolSetToken && token != SYMBOLSET) {
++ msSetError(MS_IDENTERR, "First token must be SYMBOLSET, this doesn't look like a symbol file.", "msLoadSymbolSet()");
++ return(-1);
++ }
++
++ switch(token) {
+ case(END):
+ case(EOF):
+ status = 0;
+@@ -688,6 +699,7 @@
+ symbolset->numsymbols++;
+ break;
+ case(SYMBOLSET):
++ foundSymbolSetToken = MS_TRUE;
+ break;
+ default:
+ msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "loadSymbolSet()", msyytext, msyylineno);
+diff -urNad mapserver-4.10.0~/tests/symbols.txt mapserver-4.10.0/tests/symbols.txt
+--- mapserver-4.10.0~/tests/symbols.txt 2004-11-18 10:07:36.000000000 -0500
++++ mapserver-4.10.0/tests/symbols.txt 2009-07-14 13:11:33.311860683 -0400
+@@ -1,22 +1,23 @@
+-
+-SYMBOL
++SYMBOLSET
++ SYMBOL
+ NAME 'circle'
+ TYPE ellipse
+ FILLED true
+ POINTS
+ 1 1
+ END
+-END
++ END
+
+-SYMBOL
++ SYMBOL
+ NAME 'xmarks-png'
+ TYPE PIXMAP
+ IMAGE 'xmarks.png'
+-END
++ END
+
+-SYMBOL
++ SYMBOL
+ NAME 'home-png'
+ TYPE PIXMAP
+ IMAGE 'home.png'
++ END
+ END
+
Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/85_CVE-2009-0842.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch
===================================================================
--- packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch (rev 0)
+++ packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch 2009-07-14 17:58:33 UTC (rev 2355)
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 86_CVE-2009-0843.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-4.10.0~/mapquery.c mapserver-4.10.0/mapquery.c
+--- mapserver-4.10.0~/mapquery.c 2006-02-01 20:00:11.000000000 -0500
++++ mapserver-4.10.0/mapquery.c 2009-07-14 13:12:34.260614243 -0400
+@@ -153,6 +153,11 @@
+ return(MS_FAILURE);
+ }
+
++ /*
++ ** Make sure the file at least has the right extension.
++ */
++ if(msEvalRegex("\\.qy$", filename) != MS_TRUE) return MS_FAILURE;
++
+ stream = fopen(filename, "rb");
+ if(!stream) {
+ msSetError(MS_IOERR, "(%s)", "msLoadQuery()", filename);
Property changes on: packages/mapserver/branches/etch/4.10.0/debian/patches/86_CVE-2009-0843.dpatch
___________________________________________________________________
Added: svn:executable
+ *
More information about the Pkg-grass-devel
mailing list