Bug#855170: unblock: mapserver/7.0.4-2
Bas Couwenberg
sebastic at xs4all.nl
Tue Feb 14 21:57:17 UTC 2017
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package mapserver
The attached debdiff contains two patches.
The first fixes a DoS and was reported to me privately by Landry Breuil.
The second is not strictly required for unstable, it fixes a FTBFS issue
with PHP 5. It is required for the OSGeo-Live derivative which uses the
source package maintained in Debian.
unblock mapserver/7.0.4-2
Kind Regards,
Bas
-------------- next part --------------
diff -Nru mapserver-7.0.4/debian/changelog mapserver-7.0.4/debian/changelog
--- mapserver-7.0.4/debian/changelog 2017-01-16 19:38:29.000000000 +0100
+++ mapserver-7.0.4/debian/changelog 2017-02-14 18:29:54.000000000 +0100
@@ -1,3 +1,11 @@
+mapserver (7.0.4-2) unstable; urgency=medium
+
+ * Add patch to use include paths from php-config.
+ * Add patch by Landry Breuil to fix memory corruption/double-free
+ when LAYERS parameter is specified multiple times.
+
+ -- Bas Couwenberg <sebastic at debian.org> Tue, 14 Feb 2017 18:29:54 +0100
+
mapserver (7.0.4-1) unstable; urgency=high
* New upstream release.
diff -Nru mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch
--- mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-7.0.4/debian/patches/0001-Declare-nLayerOrder-where-it-s-used.-5387.patch 2017-02-14 18:23:46.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Declare nLayerOrder where it's used.
+ If LAYERS is specified multiple times in the query string, nLayerOrder isnt
+ reset to 0, and this leads to memory corruption/double-free's upon exit.
+Author: Landry Breuil <breuil at craig.fr>
+Origin: https://github.com/mapserver/mapserver/commit/132695864b27bb6fced9a866f35365f445889a00
+Bug: https://github.com/mapserver/mapserver/issues/5387
+
+--- a/mapwms.c
++++ b/mapwms.c
+@@ -791,7 +791,6 @@ int msWMSLoadGetMapParams(mapObj *map, i
+ const char *wms_request, owsRequestObj *ows_request)
+ {
+ int i, adjust_extent = MS_FALSE, nonsquare_enabled = MS_FALSE;
+- int nLayerOrder = 0;
+ int transparent = MS_NOOVERRIDE;
+ int bbox_pixel_is_point = MS_FALSE;
+ outputFormatObj *format = NULL;
+@@ -870,6 +869,7 @@ int msWMSLoadGetMapParams(mapObj *map, i
+
+ if (strcasecmp(names[i], "LAYERS") == 0) {
+ int j, k, iLayer, *layerOrder;
++ int nLayerOrder = 0;
+ char ***nestedGroups = NULL;
+ int *numNestedGroups = NULL;
+ int *isUsedInNestedGroup = NULL;
diff -Nru mapserver-7.0.4/debian/patches/php-mapscript.patch mapserver-7.0.4/debian/patches/php-mapscript.patch
--- mapserver-7.0.4/debian/patches/php-mapscript.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-7.0.4/debian/patches/php-mapscript.patch 2017-02-14 18:24:48.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Use include paths from php-config when include path not found.
+Author: Bas Couwenberg <sebastic at debian.org>
+Forwarded: https://github.com/mapserver/mapserver/pull/5370
+Applied-Upstream: https://github.com/mapserver/mapserver/commit/37a70fff4ab54f12619833414cb1995643f7a10d
+
+--- a/cmake/FindPHP5.cmake
++++ b/cmake/FindPHP5.cmake
+@@ -86,6 +86,10 @@ IF(PHP5_CONFIG_EXECUTABLE)
+
+ MESSAGE(STATUS ${PHP5_MAIN_INCLUDE_DIR})
+
++ IF(NOT PHP5_INCLUDE_PATH)
++ set(PHP5_INCLUDE_PATH ${PHP5_INCLUDES})
++ ENDIF(NOT PHP5_INCLUDE_PATH)
++
+ IF(PHP5_VERSION LESS 5)
+ MESSAGE(FATAL_ERROR "PHP version is not 5 or later")
+ ENDIF(PHP5_VERSION LESS 5)
diff -Nru mapserver-7.0.4/debian/patches/series mapserver-7.0.4/debian/patches/series
--- mapserver-7.0.4/debian/patches/series 2017-01-07 11:15:20.000000000 +0100
+++ mapserver-7.0.4/debian/patches/series 2017-02-14 18:23:42.000000000 +0100
@@ -2,3 +2,5 @@
perl-mapscript-install.patch
ruby-mapscript-install.patch
java-hardening.patch
+php-mapscript.patch
+0001-Declare-nLayerOrder-where-it-s-used.-5387.patch
More information about the Pkg-grass-devel
mailing list