[mapserver] 02/03: Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522. (LP: 1648998)

Wed Jan 18 22:42:31 UTC 2017

This is an automated email from the git hooks/post-receive script.

sebastic pushed a commit to branch ubuntu-precise
in repository mapserver.

commit 2ac3bc0978fb1be924d831e61f86e5c44778bee0
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date:   Wed Jan 18 23:08:47 2017 +0100

    Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522. (LP: 1648998)
---
 debian/changelog                   |  8 ++++
 debian/patches/CVE-2016-9839.patch | 91 ++++++++++++++++++++++++++++++++++++++
 debian/patches/CVE-2017-5522.patch | 31 +++++++++++++
 debian/patches/series              |  2 +
 4 files changed, 132 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 83b8f88..0abc479 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mapserver (6.0.1-2ubuntu1.2) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522.
+    (LP: 1648998)
+
+ -- Bas Couwenberg <sebastic at debian.org>  Wed, 18 Jan 2017 23:06:52 +0100
+
 mapserver (6.0.1-2ubuntu1.1) precise-security; urgency=low
 
   * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
diff --git a/debian/patches/CVE-2016-9839.patch b/debian/patches/CVE-2016-9839.patch
new file mode 100644
index 0000000..09bc6e4
--- /dev/null
+++ b/debian/patches/CVE-2016-9839.patch
@@ -0,0 +1,91 @@
+Description: Backport #4928 and #5356
+Author: Thomas Bonfort <thomas.bonfort at gmail.com>
+Origin: https://github.com/mapserver/mapserver/commit/889971607c1d01ff95bc45d1ba44bd92ba5aafb2
+
+--- a/mapogr.cpp
++++ b/mapogr.cpp
+@@ -1408,16 +1408,14 @@ msOGRFileOpen(layerObj *layer, const cha
+       
+       if( hDS == NULL )
+       {
+-          if( strlen(CPLGetLastErrorMsg()) == 0 )
+-              msSetError(MS_OGRERR, 
+-                         "Open failed for OGR connection in layer `%s'.  "
+-                         "File not found or unsupported format.", 
+-                         "msOGRFileOpen()",
+-                         layer->name?layer->name:"(null)" );
+-          else
+-              msSetError(MS_OGRERR, 
++          msSetError(MS_OGRERR, 
++                    "Open failed for OGR connection in layer `%s'.  "
++                    "Check logs.", 
++                    "msOGRFileOpen()",
++                    layer->name?layer->name:"(null)" );
++          if( strlen(CPLGetLastErrorMsg()) != 0 )
++              msDebug(
+                          "Open failed for OGR connection in layer `%s'.\n%s\n",
+-                         "msOGRFileOpen()", 
+                          layer->name?layer->name:"(null)", 
+                          CPLGetLastErrorMsg() );
+           CPLFree( pszDSName );
+@@ -1467,8 +1465,11 @@ msOGRFileOpen(layerObj *layer, const cha
+       if( hLayer == NULL )
+       {
+           msSetError(MS_OGRERR, 
+-                     "ExecuteSQL(%s) failed.\n%s",
++                     "ExecuteSQL(%s) failed. Check logs",
+                      "msOGRFileOpen()", 
++                     pszLayerDef);
++          msDebug(
++                     "ExecuteSQL(%s) failed.\n%s",
+                      pszLayerDef, CPLGetLastErrorMsg() );
+           RELEASE_OGR_LOCK;
+           msConnPoolRelease( layer, hDS );
+@@ -1481,8 +1482,10 @@ msOGRFileOpen(layerObj *layer, const cha
+ 
+   if (hLayer == NULL)
+   {
+-      msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.",
++      msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.",
+                  "msOGRFileOpen()", 
++                 pszLayerDef);
++      msDebug("GetLayer(%s) failed for OGR connection `%s'.",
+                  pszLayerDef, connection );
+       CPLFree( pszLayerDef );
+       msConnPoolRelease( layer, hDS );
+@@ -1635,8 +1638,11 @@ static int msOGRFileWhichShapes(layerObj
+           != OGRERR_NONE )
+       {
+           msSetError(MS_OGRERR,
+-                     "SetAttributeFilter(%s) failed on layer %s.\n%s", 
++                     "SetAttributeFilter(%s) failed on layer %s.", 
+                      "msOGRFileWhichShapes()",
++                     layer->filter.string+6, layer->name?layer->name:"(null)");
++          msDebug(
++                     "SetAttributeFilter(%s) failed on layer %s.\n%s", 
+                      layer->filter.string+6, layer->name?layer->name:"(null)", 
+                      CPLGetLastErrorMsg() );
+           RELEASE_OGR_LOCK;
+@@ -1852,8 +1858,8 @@ msOGRFileNextShape(layerObj *layer, shap
+           psInfo->last_record_index_read = -1;
+           if( CPLGetLastErrorType() == CE_Failure )
+           {
+-              msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()",
+-                         CPLGetLastErrorMsg() );
++              msSetError(MS_OGRERR, "error. check logs", "msOGRFileNextShape()");
++              msDebug("%s", CPLGetLastErrorMsg() );
+               RELEASE_OGR_LOCK;
+               return MS_FAILURE;
+           }
+--- a/mappostgis.c
++++ b/mappostgis.c
+@@ -2237,7 +2237,8 @@ int msPostGISLayerOpen(layerObj *layer)
+                 }
+             }
+ 
+-            msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata);
++            msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata);
++            msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()");
+ 
+             free(maskeddata);
+             free(layerinfo);
diff --git a/debian/patches/CVE-2017-5522.patch b/debian/patches/CVE-2017-5522.patch
new file mode 100644
index 0000000..d46e20a
--- /dev/null
+++ b/debian/patches/CVE-2017-5522.patch
@@ -0,0 +1,31 @@
+Description: security fix (patch by EvenR)
+ Fixes CVE-2017-5522 (stack buffer overflow)
+Author: Even Rouault <even.rouault at spatialys.com>
+Origin: https://github.com/mapserver/mapserver/commit/cf7a13e62e5c56e4c7f455c1c38037a96dd1019d
+
+--- a/mapogcfilter.c
++++ b/mapogcfilter.c
+@@ -2874,7 +2874,9 @@ char *FLTGetIsLikeComparisonExpression(F
+ 
+     pszValue = psFilterNode->psRightNode->pszValue;
+     nLength = strlen(pszValue);
+-    
++    if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++        return NULL; 
++        
+     iTmp =0;
+     if (nLength > 0 && pszValue[0] != pszWild[0] && 
+         pszValue[0] != pszSingle[0] &&
+--- a/mapogcfiltercommon.c
++++ b/mapogcfiltercommon.c
+@@ -146,7 +146,9 @@ char *FLTGetIsLikeComparisonCommonExpres
+ 
+     pszValue = psFilterNode->psRightNode->pszValue;
+     nLength = strlen(pszValue);
+-    
++    if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
++        return NULL;   
++        
+     iTmp =0;
+     if (nLength > 0 && pszValue[0] != pszWild[0] && 
+         pszValue[0] != pszSingle[0] &&
diff --git a/debian/patches/series b/debian/patches/series
index 5fdfefb..8784bae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 fix-jpeg-gd-detection.patch
 cve-2013-7262.patch
+CVE-2016-9839.patch
+CVE-2017-5522.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/mapserver.git

