[SCM] mapserver branch, wheezy, updated. upstream/6.0.1-40-g61b1364
Bas Couwenberg
sebastic at xs4all.nl
Wed Jan 8 21:29:15 UTC 2014
The following commit has been merged in the wheezy branch:
commit 61b13642dc297ebf8e3fc0119b13c109972c93ac
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date: Wed Jan 8 22:28:39 2014 +0100
Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c. (closes: #734565)
diff --git a/debian/changelog b/debian/changelog
index a674b80..8683fe2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mapserver (6.0.1-3.2+deb7u2) wheezy-security; urgency=high
+
+ * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
+ msPostGISLayerSetTimeFilter function in mappostgis.c.
+ (closes: #734565)
+
+ -- Bas Couwenberg <sebastic at xs4all.nl> Wed, 08 Jan 2014 21:52:08 +0100
+
mapserver (6.0.1-3.2+deb7u1) stable-proposed-updates; urgency=low
[ Francesco Paolo Lovergine ]
diff --git a/debian/patches/cve-2013-7262 b/debian/patches/cve-2013-7262
new file mode 100644
index 0000000..ec15bb7
--- /dev/null
+++ b/debian/patches/cve-2013-7262
@@ -0,0 +1,20 @@
+Description: Fix potential SQL Injection with postgis TIME filters.
+Origin: https://github.com/mapserver/mapserver/commit/3f0ee57b12d482e0ff5611d05afd32408949f7f9
+Author: Even Rouault <even.rouault at mines-paris.org>
+Bug: https://github.com/mapserver/mapserver/issues/4834
+Bug-Debian: http://bugs.debian.org/734565
+Last-Update: 2013-01-08
+--- a/mappostgis.c
++++ b/mappostgis.c
+@@ -2961,6 +2961,11 @@ int msPostGISLayerSetTimeFilter(layerObj
+ if (!lp || !timestring || !timefield)
+ return MS_FALSE;
+
++ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
++ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
++ return MS_FALSE;
++ }
++
+ if (strstr(timestring, ",") == NULL &&
+ strstr(timestring, "/") == NULL) /* discrete time */
+ tmpstimestring = msStrdup(timestring);
diff --git a/debian/patches/series b/debian/patches/series
index 38b6725..17ec2a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fixgeos
php54
multiarch-libgd
contenttype
+cve-2013-7262
--
Packaging for MapServer
More information about the Pkg-grass-devel
mailing list