Bug#886589: stretch-pu: package mapproxy/1.9.0-3+deb9u1
Bas Couwenberg
sebastic at xs4all.nl
Sun Jan 7 21:19:26 UTC 2018
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu
To fix CVE-2017-1000426 an update of mapproxy for stretch has been
prepared, but the security team doesn't consider the issue severe enough
to warrant a DSA.
Is this change okay to upload to proposed-updates?
Kind Regards,
Bas
-------------- next part --------------
diff -Nru mapproxy-1.9.0/debian/changelog mapproxy-1.9.0/debian/changelog
--- mapproxy-1.9.0/debian/changelog 2016-08-22 11:56:27.000000000 +0200
+++ mapproxy-1.9.0/debian/changelog 2018-01-07 09:33:15.000000000 +0100
@@ -1,3 +1,11 @@
+mapproxy (1.9.0-3+deb9u1) stretch; urgency=medium
+
+ * Update branch in gbp.conf & Vcs-Git URL.
+ * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service.
+ Fixes CVE-2017-1000426.
+
+ -- Bas Couwenberg <sebastic at debian.org> Sun, 07 Jan 2018 09:33:15 +0100
+
mapproxy (1.9.0-3) unstable; urgency=medium
* Add access_contraints patch ignored by .gitignore.
diff -Nru mapproxy-1.9.0/debian/control mapproxy-1.9.0/debian/control
--- mapproxy-1.9.0/debian/control 2016-08-14 12:48:50.000000000 +0200
+++ mapproxy-1.9.0/debian/control 2018-01-07 09:33:15.000000000 +0100
@@ -37,7 +37,7 @@
xsltproc
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/mapproxy.git
-Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git -b stretch
Homepage: http://mapproxy.org/
X-Python-Version: >= 2.7
diff -Nru mapproxy-1.9.0/debian/gbp.conf mapproxy-1.9.0/debian/gbp.conf
--- mapproxy-1.9.0/debian/gbp.conf 2016-08-14 12:48:50.000000000 +0200
+++ mapproxy-1.9.0/debian/gbp.conf 2018-01-07 09:33:15.000000000 +0100
@@ -6,7 +6,7 @@
# The default name for the Debian branch is "master".
# Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
# git-import-orig uses the following names for the upstream tags.
# Change the value if you are not using git-import-orig
diff -Nru mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch
--- mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 2018-01-07 09:33:15.000000000 +0100
@@ -0,0 +1,66 @@
+Description: demo: escape args to avoid XSS
+ Fixes CVE-2017-1000426,
+Author: Oliver Tonnhofer <olt at bogosoft.com>
+Origin: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28
+
+--- a/mapproxy/service/demo.py
++++ b/mapproxy/service/demo.py
+@@ -22,6 +22,7 @@ import os
+ import pkg_resources
+ import mimetypes
+ from collections import defaultdict
++from xml.sax.saxutils import escape
+
+ from mapproxy.config.config import base_config
+ from mapproxy.compat import PY2
+@@ -108,7 +109,10 @@ class DemoServer(Server):
+ demo = self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 'WMTS', url)
+ elif 'tms_capabilities' in req.args:
+ if 'layer' in req.args and 'srs' in req.args:
+- url = '%s/tms/1.0.0/%s/%s'%(req.script_url, req.args['layer'], req.args['srs'])
++ # prevent dir traversal (seems it's not possible with urllib2, but better safe then sorry)
++ layer = req.args['layer'].replace('..', '')
++ srs = req.args['srs'].replace('..', '')
++ url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs)
+ else:
+ url = '%s/tms/1.0.0/'%(req.script_url)
+ capabilities = urllib2.urlopen(url)
+@@ -171,14 +175,14 @@ class DemoServer(Server):
+ def _render_wms_template(self, template, req):
+ template = get_template(template, default_inherit="demo/static.html")
+ layer = self.layers[req.args['wms_layer']]
+- srs = req.args['srs']
++ srs = escape(req.args['srs'])
+ bbox = layer.extent.bbox_for(SRS(srs))
+ width = bbox[2] - bbox[0]
+ height = bbox[3] - bbox[1]
+ min_res = max(width/256, height/256)
+ return template.substitute(layer=layer,
+ image_formats=self.image_formats,
+- format=req.args['format'],
++ format=escape(req.args['format']),
+ srs=srs,
+ layer_srs=self.layer_srs,
+ bbox=bbox,
+@@ -202,8 +206,8 @@ class DemoServer(Server):
+ else:
+ add_res_to_options = False
+ return template.substitute(layer=tile_layer,
+- srs=req.args['srs'],
+- format=req.args['format'],
++ srs=escape(req.args['srs']),
++ format=escape(req.args['format']),
+ resolutions=res,
+ units=units,
+ add_res_to_options=add_res_to_options,
+@@ -223,8 +227,8 @@ class DemoServer(Server):
+ units = 'm'
+ return template.substitute(layer=wmts_layer,
+ matrix_set=wmts_layer.grid.name,
+- format=req.args['format'],
+- srs=req.args['srs'],
++ format=escape(req.args['format']),
++ srs=escape(req.args['srs']),
+ resolutions=wmts_layer.grid.resolutions,
+ units=units,
+ all_tile_layers=self.tile_layers,
diff -Nru mapproxy-1.9.0/debian/patches/series mapproxy-1.9.0/debian/patches/series
--- mapproxy-1.9.0/debian/patches/series 2016-08-22 11:56:27.000000000 +0200
+++ mapproxy-1.9.0/debian/patches/series 2018-01-07 09:33:15.000000000 +0100
@@ -2,3 +2,4 @@
0001-use-dummy-access_contraints-to-clarify-license.patch
disable-tag_date.patch
configuration-typo.patch
+0001-demo-escape-args-to-avoid-XSS.patch
More information about the Pkg-grass-devel
mailing list