[Git][debian-gis-team/mapserver][master] 2 commits: Add upstream patch to fix PHPMapScript error handling vulnerabilities.

Fri Mar 20 20:06:41 GMT 2020


Bas Couwenberg pushed to branch master at Debian GIS Project / mapserver


Commits:
78c9a684 by Bas Couwenberg at 2020-03-20T20:40:31+01:00
Add upstream patch to fix PHPMapScript error handling vulnerabilities.

- - - - -
8179fd38 by Bas Couwenberg at 2020-03-20T20:40:48+01:00
Set distribution to unstable.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/mapscript-buffer-overflow.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,9 +1,10 @@
-mapserver (7.4.3-3) UNRELEASED; urgency=medium
+mapserver (7.4.3-3) unstable; urgency=high
 
   * Bump debhelper compat to 10, changes:
     - Drop --parallel option, enabled by default
+  * Add upstream patch to fix PHPMapScript error handling vulnerabilities.
 
- -- Bas Couwenberg <sebastic at debian.org>  Thu, 19 Mar 2020 19:35:20 +0100
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 20 Mar 2020 20:40:37 +0100
 
 mapserver (7.4.3-2) unstable; urgency=medium
 


=====================================
debian/patches/mapscript-buffer-overflow.patch
=====================================
@@ -0,0 +1,62 @@
+Description: Fix PHPMapScript vulnerabilities in error handling.
+Author: Jeff McKenna <jmckenna at gatewaygeomatics.com>
+Bug: https://github.com/mapserver/mapserver/issues/6014
+
+--- a/mapscript/php/mapscript_error.c
++++ b/mapscript/php/mapscript_error.c
+@@ -35,8 +35,6 @@
+ #include <stdarg.h>
+ #include "../../maperror.h"
+ 
+-#define MAX_EXCEPTION_MSG 256
+-
+ zend_class_entry *mapscript_ce_mapscriptexception;
+ 
+ #if  PHP_VERSION_ID >= 70000
+@@ -46,9 +44,10 @@ zval* mapscript_throw_exception(char *fo
+ #endif
+ {
+   va_list args;
+-  char message[MAX_EXCEPTION_MSG];
++  char message[MESSAGELENGTH];
+   va_start(args, format);
+-  vsprintf(message, format, args);
++  //prevent buffer overflow
++  vsnprintf(message, MESSAGELENGTH, format, args);
+   va_end(args);
+   return zend_throw_exception(mapscript_ce_mapscriptexception, message, 0 TSRMLS_CC);
+ }
+@@ -60,7 +59,7 @@ zval* mapscript_throw_mapserver_exceptio
+ #endif
+ {
+   va_list args;
+-  char message[MAX_EXCEPTION_MSG];
++  char message[MESSAGELENGTH];
+   errorObj *ms_error;
+ 
+   ms_error = msGetErrorObj();
+@@ -73,17 +72,20 @@ zval* mapscript_throw_mapserver_exceptio
+   }
+ 
+   va_start(args, format);
+-  vsprintf(message, format, args);
++  //prevent buffer overflow
++  vsnprintf(message, MESSAGELENGTH, format, args);
+   va_end(args);
+-  return mapscript_throw_exception(message TSRMLS_CC);
++  //prevent format string attack
++  return mapscript_throw_exception("%s", message TSRMLS_CC);
+ }
+ 
+ void mapscript_report_php_error(int error_type, char *format TSRMLS_DC, ...)
+ {
+   va_list args;
+-  char message[MAX_EXCEPTION_MSG];
++  char message[MESSAGELENGTH];
+   va_start(args, format);
+-  vsprintf(message, format, args);
++  //prevent buffer overflow
++  vsnprintf(message, MESSAGELENGTH, format, args); 
+   va_end(args);
+   php_error_docref(NULL TSRMLS_CC, error_type, "%s,", message);
+ }


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
 perl-mapscript-install.patch
 java-hardening.patch
 swig-4.0.1.patch
+mapscript-buffer-overflow.patch



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/008e464f4314685ee029d797625f2a31924ca3cc...8179fd38128411f4e3181e05108ea63b9c8454dd

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/008e464f4314685ee029d797625f2a31924ca3cc...8179fd38128411f4e3181e05108ea63b9c8454dd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20200320/686faccf/attachment-0001.html>
