[DebianGIS-dev] r2353 - in packages/mapserver/branches/lenny/debian: . patches
aboudreault-guest at alioth.debian.org
aboudreault-guest at alioth.debian.org
Tue Jul 14 13:35:47 UTC 2009
Author: aboudreault-guest
Date: 2009-07-14 13:35:43 +0000 (Tue, 14 Jul 2009)
New Revision: 2353
Added:
packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch
Removed:
packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch
Modified:
packages/mapserver/branches/lenny/debian/changelog
packages/mapserver/branches/lenny/debian/patches/00list
packages/mapserver/branches/lenny/debian/rules
Log:
update security fixes
Modified: packages/mapserver/branches/lenny/debian/changelog
===================================================================
--- packages/mapserver/branches/lenny/debian/changelog 2009-07-14 13:06:06 UTC (rev 2352)
+++ packages/mapserver/branches/lenny/debian/changelog 2009-07-14 13:35:43 UTC (rev 2353)
@@ -1,3 +1,15 @@
+mapserver (5.0.3-3+lenny3) stable-security; urgency=high
+
+ * Fix Heap-based buffer underflow in the readPostBody (CVE-2009-0840, CVE-2009-2281)
+
+ -- Alan Boudreault <aboudreault at mapgears.com> Tue, 14 Jul 2009 08:43:41 -0400
+
+mapserver (5.0.3-3+lenny2) stable-security; urgency=high
+
+ * Fix missing gcc optimization change in debian/rules.
+
+ -- Alan Boudreault <aboudreault at mapgears.com> Wed, 17 Jun 2009 09:22:40 -0400
+
mapserver (5.0.3-3+lenny1) stable-security; urgency=high
* Fix stack-based buffer overflow (CVE-2009-0839).
Modified: packages/mapserver/branches/lenny/debian/patches/00list
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/00list 2009-07-14 13:06:06 UTC (rev 2352)
+++ packages/mapserver/branches/lenny/debian/patches/00list 2009-07-14 13:35:43 UTC (rev 2353)
@@ -2,7 +2,7 @@
70_ptrreturn
80_gdal_lib
01_CVE-2009-0839
-02_CVE-2009-0840
+02_CVE-2009-840-CVE-2009-2281
03_CVE-2009-0841
04_CVE-2009-0842
05_CVE-2009-0843
Deleted: packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch 2009-07-14 13:06:06 UTC (rev 2352)
+++ packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch 2009-07-14 13:35:43 UTC (rev 2353)
@@ -1,38 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 02_CVE-2009-0840.dpatch by Alan Boudreault <aboudreault at mapgears.com>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
- at DPATCH@
-diff -urNad mapserver-5.0.3~/cgiutil.c mapserver-5.0.3/cgiutil.c
---- mapserver-5.0.3~/cgiutil.c 2007-08-31 17:40:06.000000000 -0400
-+++ mapserver-5.0.3/cgiutil.c 2009-06-08 13:34:21.651859515 -0400
-@@ -41,7 +41,8 @@
- static char *readPostBody( cgiRequestObj *request )
- {
- char *data;
-- int data_max, data_len, chunk_size;
-+ unsigned int data_max, data_len;
-+ int chunk_size;
-
- msIO_needBinaryStdin();
-
-@@ -53,7 +54,7 @@
- data = (char *) malloc(data_max+1);
- if( data == NULL ) {
- msIO_printf("Content-type: text/html%c%c",10,10);
-- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max );
-+ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max );
- exit( 1 );
- }
-
-@@ -83,7 +84,7 @@
-
- if( data == NULL ) {
- msIO_printf("Content-type: text/html%c%c",10,10);
-- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
-+ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
- exit(1);
- }
- }
Added: packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch (rev 0)
+++ packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch 2009-07-14 13:35:43 UTC (rev 2353)
@@ -0,0 +1,101 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_CVE-2009-840-CVE-2009-2281.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-5.0.3~/cgiutil.c mapserver-5.0.3/cgiutil.c
+--- mapserver-5.0.3~/cgiutil.c 2007-08-31 17:40:06.000000000 -0400
++++ mapserver-5.0.3/cgiutil.c 2009-07-14 09:04:55.590607889 -0400
+@@ -1,4 +1,5 @@
+ /******************************************************************************
++ * $Id$
+ *
+ * Project: MapServer
+ * Purpose: cgiRequestObj and CGI parameter parsing.
+@@ -41,7 +42,8 @@
+ static char *readPostBody( cgiRequestObj *request )
+ {
+ char *data;
+- int data_max, data_len, chunk_size;
++ size_t data_max, data_len;
++ int chunk_size;
+
+ msIO_needBinaryStdin();
+
+@@ -49,11 +51,17 @@
+ /* If the length is provided, read in one gulp. */
+ /* -------------------------------------------------------------------- */
+ if( getenv("CONTENT_LENGTH") != NULL ) {
+- data_max = atoi(getenv("CONTENT_LENGTH"));
++ data_max = (size_t) atoi(getenv("CONTENT_LENGTH"));
++ /* Test for suspicious CONTENT_LENGTH (negative value or SIZE_MAX) */
++ if( data_max >= SIZE_MAX ) {
++ msIO_printf("Content-type: text/html%c%c",10,10);
++ msIO_printf("Suspicious Content-Length.\n");
++ exit( 1 );
++ }
+ data = (char *) malloc(data_max+1);
+ if( data == NULL ) {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max );
++ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max );
+ exit( 1 );
+ }
+
+@@ -70,7 +78,9 @@
+ /* -------------------------------------------------------------------- */
+ /* Otherwise read in chunks to the end. */
+ /* -------------------------------------------------------------------- */
+- data_max = 10000;
++#define DATA_ALLOC_SIZE 10000
++
++ data_max = DATA_ALLOC_SIZE;
+ data_len = 0;
+ data = (char *) malloc(data_max+1);
+
+@@ -78,12 +88,19 @@
+ data_len += chunk_size;
+
+ if( data_len == data_max ) {
+- data_max = data_max + 10000;
++ /* Realloc buffer, making sure we check for possible size_t overflow */
++ if ( data_max > SIZE_MAX - (DATA_ALLOC_SIZE+1) ) {
++ msIO_printf("Content-type: text/html%c%c",10,10);
++ msIO_printf("Possible size_t overflow, cannot reallocate input buffer, POST body too large?\n" );
++ exit(1);
++ }
++
++ data_max = data_max + DATA_ALLOC_SIZE;
+ data = (char *) realloc(data, data_max+1);
+
+ if( data == NULL ) {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
++ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
+ exit(1);
+ }
+ }
+diff -urNad mapserver-5.0.3~/mapserver.h mapserver-5.0.3/mapserver.h
+--- mapserver-5.0.3~/mapserver.h 2008-06-04 15:43:45.000000000 -0400
++++ mapserver-5.0.3/mapserver.h 2009-07-14 09:04:55.590607889 -0400
+@@ -65,6 +65,10 @@
+
+ /* definition of ms_int32/ms_uint32 */
+ #include <limits.h>
++#ifndef _WIN32
++#include <stdint.h>
++#endif
++
+ #if ULONG_MAX == 0xffffffff
+ typedef long ms_int32;
+ typedef unsigned long ms_uint32;
+@@ -72,7 +76,6 @@
+ typedef int ms_int32;
+ typedef unsigned int ms_uint32;
+ #else
+-#include <stdint.h>
+ typedef int32_t ms_int32;
+ typedef uint32_t ms_uint32;
+ #endif
Property changes on: packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Modified: packages/mapserver/branches/lenny/debian/rules
===================================================================
--- packages/mapserver/branches/lenny/debian/rules 2009-07-14 13:06:06 UTC (rev 2352)
+++ packages/mapserver/branches/lenny/debian/rules 2009-07-14 13:35:43 UTC (rev 2353)
@@ -7,7 +7,7 @@
# This has to be exported to make some magic below work.
export DH_OPTIONS
-
+
package=mapserver
version=$(shell expr `pwd` : '.*-\([0-9.]*\)')
More information about the Pkg-grass-devel
mailing list