[DebianGIS-dev] r2286 - in packages/mapserver/branches/lenny/debian: . patches
aboudreault-guest at alioth.debian.org
aboudreault-guest at alioth.debian.org
Mon Jun 15 13:46:55 UTC 2009
Author: aboudreault-guest
Date: 2009-06-15 13:46:54 +0000 (Mon, 15 Jun 2009)
New Revision: 2286
Added:
packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch
packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch
packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch
packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch
packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch
Modified:
packages/mapserver/branches/lenny/debian/changelog
packages/mapserver/branches/lenny/debian/patches/00list
Log:
Adding patches for several vulnerabilities
Modified: packages/mapserver/branches/lenny/debian/changelog
===================================================================
--- packages/mapserver/branches/lenny/debian/changelog 2009-06-15 13:20:24 UTC (rev 2285)
+++ packages/mapserver/branches/lenny/debian/changelog 2009-06-15 13:46:54 UTC (rev 2286)
@@ -1,3 +1,13 @@
+mapserver (5.0.3-3+lenny1) stable-security; urgency=high
+
+ * Fix stack-based buffer overflow (CVE-2009-0839).
+ * Fix heap-based buffer underflow (CVE-2009-0840).
+ * Fix relative file path writing (CVE-2009-0841).
+ * Fix file data leakage (CVE-2009-0842).
+ * Fix file existence leakage (CVE-2009-0843).
+
+ -- Alan Boudreault <aboudreault at mapgears.com> Thu, 04 Jun 2009 13:49:50 -0400
+
mapserver (5.0.3-3) unstable; urgency=low
* Updated sv.po template.
Modified: packages/mapserver/branches/lenny/debian/patches/00list
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/00list 2009-06-15 13:20:24 UTC (rev 2285)
+++ packages/mapserver/branches/lenny/debian/patches/00list 2009-06-15 13:46:54 UTC (rev 2286)
@@ -1,3 +1,8 @@
50_clean
70_ptrreturn
80_gdal_lib
+01_CVE-2009-0839
+02_CVE-2009-0840
+03_CVE-2009-0841
+04_CVE-2009-0842
+05_CVE-2009-0843
Added: packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch (rev 0)
+++ packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch 2009-06-15 13:46:54 UTC (rev 2286)
@@ -0,0 +1,189 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 01_CVE-2009-0839.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-5.0.3~/mapserv.c mapserver-5.0.3/mapserv.c
+--- mapserver-5.0.3~/mapserv.c 2007-09-10 09:51:19.000000000 -0400
++++ mapserver-5.0.3/mapserv.c 2009-06-08 13:33:31.870603634 -0400
+@@ -197,10 +197,23 @@
+ } else {
+ if(getenv(msObj->request->ParamValues[i])) /* an environment references the actual file to use */
+ map = msLoadMap(getenv(msObj->request->ParamValues[i]), NULL);
+- else
++ else {
++ /* by here we know the request isn't for something in an environment variable */
++ if(getenv("MS_MAP_NO_PATH")) {
++ msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "loadMap()");
++ writeError();
++ }
++
++ if(getenv("MS_MAP_PATTERN") && msEvalRegex(getenv("MS_MAP_PATTERN"), msObj->request->ParamValues[i]) != MS_TRUE) {
++ msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "loadMap()");
++ writeError();
++ }
++
++ /* ok to try to load now */
+ map = msLoadMap(msObj->request->ParamValues[i], NULL);
++ }
+ }
+-
++
+ if(!map) writeError();
+
+ /* check for any %variable% substitutions here, also do any map_ changes, we do this here so WMS/WFS */
+@@ -357,6 +370,10 @@
+ }
+
+ if(strcasecmp(msObj->request->ParamNames[i],"id") == 0) {
++ if(msEvalRegex(IDPATTERN, msObj->request->ParamValues[i]) == MS_FALSE) {
++ msSetError(MS_WEBERR, "Parameter 'id' value fails to validate.", "loadMap()");
++ writeError();
++ }
+ strncpy(msObj->Id, msObj->request->ParamValues[i], IDSIZE);
+ continue;
+ }
+@@ -1207,7 +1224,7 @@
+ loadForm();
+
+ if(msObj->SaveMap) {
+- sprintf(buffer, "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id);
++ snprintf(buffer, sizeof(buffer), "%s%s%s.map", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id);
+ if(msSaveMap(msObj->Map, buffer) == -1) writeError();
+ }
+
+diff -urNad mapserver-5.0.3~/mapserver.h mapserver-5.0.3/mapserver.h
+--- mapserver-5.0.3~/mapserver.h 2008-06-04 15:43:45.000000000 -0400
++++ mapserver-5.0.3/mapserver.h 2009-06-08 13:33:31.870603634 -0400
+@@ -150,7 +150,9 @@
+ /* General defines, not wrapable */
+ #ifndef SWIG
+ #define MS_DEFAULT_MAPFILE_PATTERN "\\.map$"
+-#define MS_TEMPLATE_EXPR "\\.(jsp|asp|cfm|xml|wml|html|htm|shtml|phtml|php|svg)$"
++
++#define MS_TEMPLATE_MAGIC_STRING "MapServer Template"
++#define MS_TEMPLATE_EXPR "\\.(xml|wml|html|htm|svg|kml|gml|js|tmpl)$"
+
+ #define MS_INDEX_EXTENSION ".qix"
+ #define MS_QUERY_EXTENSION ".qy"
+diff -urNad mapserver-5.0.3~/maptemplate.c mapserver-5.0.3/maptemplate.c
+--- mapserver-5.0.3~/maptemplate.c 2007-08-24 14:22:05.000000000 -0400
++++ mapserver-5.0.3/maptemplate.c 2009-06-08 13:33:31.870603634 -0400
+@@ -40,6 +40,20 @@
+
+ char *processLine(mapservObj* msObj, char* instr, int mode);
+
++static int isValidTemplate(FILE *stream, const char *filename)
++{
++ char buffer[MS_BUFFER_LENGTH];
++
++ if(fgets(buffer, MS_BUFFER_LENGTH, stream) != NULL) {
++ if(!msCaseFindSubstring(buffer, MS_TEMPLATE_MAGIC_STRING)) {
++ msSetError(MS_WEBERR, "Missing magic string, %s doesn't look like a MapServer template.", "isValidTemplate()", filename);
++ return MS_FALSE;
++ }
++ }
++
++ return MS_TRUE;
++}
++
+ /*
+ * Redirect to (only use in CGI)
+ *
+@@ -200,7 +214,7 @@
+ img = msDrawMap(msObj->Map, MS_TRUE);
+ if(!img) return MS_FAILURE;
+
+- snprintf(buffer, 1024, "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%s%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+
+ status = msSaveImage(msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+@@ -211,7 +225,7 @@
+ {
+ img = msDrawLegend(msObj->Map, MS_FALSE);
+ if(!img) return MS_FAILURE;
+- snprintf(buffer, 1024, "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%sleg%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ status = msSaveImage(msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+ msFreeImage(img);
+@@ -221,7 +235,7 @@
+ {
+ img = msDrawScalebar(msObj->Map);
+ if(!img) return MS_FAILURE;
+- snprintf(buffer, 1024, "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%ssb%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ status = msSaveImage( msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+ msFreeImage(img);
+@@ -231,7 +245,7 @@
+ {
+ img = msDrawReferenceMap(msObj->Map);
+ if(!img) return MS_FAILURE;
+- snprintf(buffer, 1024, "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
++ snprintf(buffer, sizeof(buffer), "%s%sref%s.%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_IMAGE_EXTENSION(msObj->Map->outputformat));
+ status = msSaveImage(msObj->Map, img, buffer);
+ if(status != MS_SUCCESS) return status;
+ msFreeImage(img);
+@@ -2392,6 +2406,11 @@
+ return(NULL);
+ }
+
++ if(isValidTemplate(stream, join->header) != MS_TRUE) {
++ fclose(stream);
++ return NULL;
++ }
++
+ /* echo file to the output buffer, no substitutions */
+ while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = msStringConcatenate(outbuf, line);
+
+@@ -2402,7 +2421,12 @@
+ msSetError(MS_IOERR, "Error while opening join template file %s.", "processOneToManyJoin()", join->template);
+ return(NULL);
+ }
+-
++
++ if(isValidTemplate(stream, join->template) != MS_TRUE) {
++ fclose(stream);
++ return NULL;
++ }
++
+ records = MS_TRUE;
+ }
+
+@@ -2417,6 +2441,7 @@
+ }
+
+ rewind(stream);
++ fgets(line, MS_BUFFER_LENGTH, stream); /* skip the first line since it's the magic string */
+ } /* next record */
+
+ if(records==MS_TRUE && join->footer) {
+@@ -2425,6 +2450,11 @@
+ return(NULL);
+ }
+
++ if(isValidTemplate(stream, join->footer) != MS_TRUE) {
++ fclose(stream);
++ return NULL;
++ }
++
+ /* echo file to the output buffer, no substitutions */
+ while(fgets(line, MS_BUFFER_LENGTH, stream) != NULL) outbuf = msStringConcatenate(outbuf, line);
+
+diff -urNad mapserver-5.0.3~/maptemplate.h mapserver-5.0.3/maptemplate.h
+--- mapserver-5.0.3~/maptemplate.h 2007-08-30 09:52:07.000000000 -0400
++++ mapserver-5.0.3/maptemplate.h 2009-06-08 13:33:31.860604977 -0400
+@@ -33,7 +33,8 @@
+ #include "mapserver.h"
+ #include "maphash.h"
+
+-#define IDSIZE 128
++#define IDPATTERN "^[0-9A-Za-z]{1,63}$"
++#define IDSIZE 64
+ #define TEMPLATE_TYPE(s) (((strncmp("http://", s, 7) == 0) || (strncmp("https://", s, 8) == 0) || (strncmp("ftp://", s, 6)) == 0) ? MS_URL : MS_FILE)
+ #define MAXZOOM 25
+ #define MINZOOM -25
Property changes on: packages/mapserver/branches/lenny/debian/patches/01_CVE-2009-0839.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch (rev 0)
+++ packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch 2009-06-15 13:46:54 UTC (rev 2286)
@@ -0,0 +1,38 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_CVE-2009-0840.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-5.0.3~/cgiutil.c mapserver-5.0.3/cgiutil.c
+--- mapserver-5.0.3~/cgiutil.c 2007-08-31 17:40:06.000000000 -0400
++++ mapserver-5.0.3/cgiutil.c 2009-06-08 13:34:21.651859515 -0400
+@@ -41,7 +41,8 @@
+ static char *readPostBody( cgiRequestObj *request )
+ {
+ char *data;
+- int data_max, data_len, chunk_size;
++ unsigned int data_max, data_len;
++ int chunk_size;
+
+ msIO_needBinaryStdin();
+
+@@ -53,7 +54,7 @@
+ data = (char *) malloc(data_max+1);
+ if( data == NULL ) {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+- msIO_printf("malloc() failed, Content-Length: %d unreasonably large?\n", data_max );
++ msIO_printf("malloc() failed, Content-Length: %u unreasonably large?\n", data_max );
+ exit( 1 );
+ }
+
+@@ -83,7 +84,7 @@
+
+ if( data == NULL ) {
+ msIO_printf("Content-type: text/html%c%c",10,10);
+- msIO_printf("out of memory trying to allocate %d input buffer, POST body too large?\n", data_max+1 );
++ msIO_printf("out of memory trying to allocate %u input buffer, POST body too large?\n", data_max+1 );
+ exit(1);
+ }
+ }
Property changes on: packages/mapserver/branches/lenny/debian/patches/02_CVE-2009-0840.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch (rev 0)
+++ packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch 2009-06-15 13:46:54 UTC (rev 2286)
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_CVE-2009-0841.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-5.0.3~/mapserv.c mapserver-5.0.3/mapserv.c
+--- mapserver-5.0.3~/mapserv.c 2007-09-10 09:51:19.000000000 -0400
++++ mapserver-5.0.3/mapserv.c 2009-06-08 13:35:11.130609480 -0400
+@@ -1585,7 +1585,7 @@
+ if(msReturnTemplateQuery(msObj, msObj->Map->web.queryformat, NULL) != MS_SUCCESS) writeError();
+
+ if(msObj->SaveQuery) {
+- sprintf(buffer, "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION);
++ snprintf(buffer, sizeof(buffer), "%s%s%s%s", msObj->Map->web.imagepath, msObj->Map->name, msObj->Id, MS_QUERY_EXTENSION);
+ if((status = msSaveQuery(msObj->Map, buffer)) != MS_SUCCESS) return status;
+ }
+ }
Property changes on: packages/mapserver/branches/lenny/debian/patches/03_CVE-2009-0841.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch (rev 0)
+++ packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch 2009-06-15 13:46:54 UTC (rev 2286)
@@ -0,0 +1,120 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_CVE-2009-0842.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-5.0.3~/mapfile.c mapserver-5.0.3/mapfile.c
+--- mapserver-5.0.3~/mapfile.c 2008-01-20 11:11:29.000000000 -0500
++++ mapserver-5.0.3/mapfile.c 2009-06-08 13:35:53.641855604 -0400
+@@ -4228,10 +4228,20 @@
+ static int loadMapInternal(mapObj *map)
+ {
+ int i,j,k;
++ int foundMapToken=MS_FALSE;
++ int token;
+
+ for(;;) {
+
+- switch(msyylex()) {
++ token = msyylex();
++
++ if(!foundMapToken && token != MAP) {
++ msSetError(MS_IDENTERR, "First token must be MAP, this doesn't look like a mapfile.", "msLoadMap()");
++ return(MS_FAILURE);
++ }
++
++ switch(token) {
++
+
+ case(CONFIG):
+ {
+@@ -4358,6 +4368,7 @@
+ if(loadLegend(&(map->legend), map) == -1) return MS_FAILURE;
+ break;
+ case(MAP):
++ foundMapToken = MS_TRUE;
+ break;
+ case(MAXSIZE):
+ if(getInteger(&(map->maxsize)) == -1) return MS_FAILURE;
+diff -urNad mapserver-5.0.3~/mapsymbol.c mapserver-5.0.3/mapsymbol.c
+--- mapserver-5.0.3~/mapsymbol.c 2007-11-08 10:19:29.000000000 -0500
++++ mapserver-5.0.3/mapsymbol.c 2009-06-08 13:35:53.651858522 -0400
+@@ -616,7 +616,7 @@
+ int msLoadSymbolSet(symbolSetObj *symbolset, mapObj *map)
+ {
+ int retval = MS_FAILURE;
+-
++
+ msAcquireLock( TLOCK_PARSER );
+ retval = loadSymbolSet( symbolset, map );
+ msReleaseLock( TLOCK_PARSER );
+@@ -631,6 +631,9 @@
+ int status=1;
+ char szPath[MS_MAXPATHLEN], *pszSymbolPath=NULL;
+
++ int foundSymbolSetToken=MS_FALSE;
++ int token;
++
+ if(!symbolset) {
+ msSetError(MS_SYMERR, "Symbol structure unallocated.", "loadSymbolSet()");
+ return(-1);
+@@ -657,7 +660,15 @@
+ ** Read the symbol file
+ */
+ for(;;) {
+- switch(msyylex()) {
++
++ token = msyylex();
++
++ if(!foundSymbolSetToken && token != SYMBOLSET) {
++ msSetError(MS_IDENTERR, "First token must be SYMBOLSET, this doesn't look like a symbol file.", "msLoadSymbolSet()");
++ return(-1);
++ }
++
++ switch(token) {
+ case(END):
+ case(EOF):
+ status = 0;
+@@ -673,6 +684,7 @@
+ symbolset->numsymbols++;
+ break;
+ case(SYMBOLSET):
++ foundSymbolSetToken = MS_TRUE;
+ break;
+ default:
+ msSetError(MS_IDENTERR, "Parsing error near (%s):(line %d)", "loadSymbolSet()", msyytext, msyylineno);
+diff -urNad mapserver-5.0.3~/tests/symbols.txt mapserver-5.0.3/tests/symbols.txt
+--- mapserver-5.0.3~/tests/symbols.txt 2004-11-18 10:07:36.000000000 -0500
++++ mapserver-5.0.3/tests/symbols.txt 2009-06-08 13:35:53.651858522 -0400
+@@ -1,22 +1,22 @@
+-
+-SYMBOL
++SYMBOLSET
++ SYMBOL
+ NAME 'circle'
+ TYPE ellipse
+ FILLED true
+ POINTS
+ 1 1
+ END
+-END
++ END
+
+-SYMBOL
++ SYMBOL
+ NAME 'xmarks-png'
+ TYPE PIXMAP
+ IMAGE 'xmarks.png'
+-END
++ END
+
+-SYMBOL
++ SYMBOL
+ NAME 'home-png'
+ TYPE PIXMAP
+ IMAGE 'home.png'
++ END
+ END
+-
Property changes on: packages/mapserver/branches/lenny/debian/patches/04_CVE-2009-0842.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Added: packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch
===================================================================
--- packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch (rev 0)
+++ packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch 2009-06-15 13:46:54 UTC (rev 2286)
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 05_CVE-2009-0843.dpatch by Alan Boudreault <aboudreault at mapgears.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad mapserver-5.0.3~/mapquery.c mapserver-5.0.3/mapquery.c
+--- mapserver-5.0.3~/mapquery.c 2008-05-05 10:46:11.000000000 -0400
++++ mapserver-5.0.3/mapquery.c 2009-06-08 13:36:44.410605642 -0400
+@@ -120,6 +120,11 @@
+ return(MS_FAILURE);
+ }
+
++ /*
++ ** Make sure the file at least has the right extension.
++ */
++ if(msEvalRegex("\\.qy$", filename) != MS_TRUE) return MS_FAILURE;
++
+ stream = fopen(filename, "rb");
+ if(!stream) {
+ msSetError(MS_IOERR, "(%s)", "msLoadQuery()", filename);
Property changes on: packages/mapserver/branches/lenny/debian/patches/05_CVE-2009-0843.dpatch
___________________________________________________________________
Added: svn:executable
+ *
More information about the Pkg-grass-devel
mailing list