[Git][debian-gis-team/mapserver][master] 4 commits: Drop unused lintian overrides.

Bas Couwenberg gitlab at salsa.debian.org
Sat May 8 21:15:31 BST 2021



Bas Couwenberg pushed to branch master at Debian GIS Project / mapserver


Commits:
2f686418 by Bas Couwenberg at 2021-05-08T07:10:47+02:00
Drop unused lintian overrides.

- - - - -
69d026f7 by Bas Couwenberg at 2021-05-08T07:10:59+02:00
Add upstream patches to fix CVE-2021-32062. (closes: #988208)

- - - - -
7bdce2bc by Bas Couwenberg at 2021-05-08T07:12:13+02:00
Update symbols file.

- - - - -
32e7ceb0 by Bas Couwenberg at 2021-05-08T07:12:29+02:00
Set distribution to unstable.

- - - - -


7 changed files:

- debian/changelog
- − debian/libmapserver2.lintian-overrides
- debian/libmapserver2.symbols
- − debian/mapserver-bin.lintian-overrides
- + debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch
- + debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+  * Drop unused lintian overrides.
+  * Add upstream patches to fix CVE-2021-32062.
+    (closes: #988208)
+  * Update symbols file.
+
+ -- Bas Couwenberg <sebastic at debian.org>  Sat, 08 May 2021 07:12:18 +0200
+
 mapserver (7.6.2-1) unstable; urgency=medium
 
   * Update symbols for other architectures.


=====================================
debian/libmapserver2.lintian-overrides deleted
=====================================
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-


=====================================
debian/libmapserver2.symbols
=====================================
@@ -945,6 +945,7 @@ libmapserver.so.2 #PACKAGE# #MINVER#
  msCSVJoinPrepare at Base 6.2.1
  msCairoCleanup at Base 6.2.1
  msCalculateScale at Base 6.2.1
+ msCaseEvalRegex at Base 7.6.2
  msCaseReplaceSubstring at Base 6.2.1
  msCheckLabelMinDistance at Base 7.0.0
  msCheckParentPointer at Base 6.2.1
@@ -1418,6 +1419,7 @@ libmapserver.so.2 #PACKAGE# #MINVER#
  msIsGlyphASpace at Base 7.2.0
  msIsLayerQueryable at Base 6.2.1
  msIsOuterRing at Base 6.2.1
+ msIsValidRegex at Base 7.6.2
  msIsXMLTagValid at Base 6.2.1
  msItemInGroups at Base 6.2.1
  msJoinClose at Base 6.2.1


=====================================
debian/mapserver-bin.lintian-overrides deleted
=====================================
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-


=====================================
debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch
=====================================
@@ -0,0 +1,161 @@
+Description: Address flaw in CGI mapfile loading that makes it possible to bypass security controls.
+Author: Even Rouault <even.rouault at spatialys.com>
+Origin: https://github.com/MapServer/MapServer/commit/927ac97cb9ece305306b5ab2b5600d3afe8c1732
+Bug: https://github.com/MapServer/MapServer/issues/6313
+Bug-Debian: https://bugs.debian.org/988208
+
+--- a/mapfile.c
++++ b/mapfile.c
+@@ -97,6 +97,16 @@ int msValidateParameter(const char *valu
+   return(MS_FAILURE);
+ }
+ 
++int msIsValidRegex(const char* e) {
++  ms_regex_t re;
++  if(ms_regcomp(&re, e, MS_REG_EXTENDED|MS_REG_NOSUB) != 0) {
++    msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e);
++    return(MS_FALSE);
++  }
++  ms_regfree(&re);
++  return MS_TRUE;
++}
++
+ int msEvalRegex(const char *e, const char *s)
+ {
+   ms_regex_t re;
+@@ -107,6 +117,26 @@ int msEvalRegex(const char *e, const cha
+     msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e);
+     return(MS_FALSE);
+   }
++
++  if(ms_regexec(&re, s, 0, NULL, 0) != 0) { /* no match */
++    ms_regfree(&re);
++    return(MS_FALSE);
++  }
++  ms_regfree(&re);
++
++  return(MS_TRUE);
++}
++
++int msCaseEvalRegex(const char *e, const char *s)
++{
++  ms_regex_t re;
++
++  if(!e || !s) return(MS_FALSE);
++
++  if(ms_regcomp(&re, e, MS_REG_EXTENDED|MS_REG_ICASE|MS_REG_NOSUB) != 0) {
++    msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e);
++    return(MS_FALSE);
++  }
+ 
+   if(ms_regexec(&re, s, 0, NULL, 0) != 0) { /* no match */
+     ms_regfree(&re);
+--- a/mapserv.c
++++ b/mapserv.c
+@@ -166,7 +166,8 @@ int main(int argc, char *argv[])
+ 
+   /* push high-value ENV vars into the CPL global config - primarily for IIS/FastCGI */
+   const char* const apszEnvVars[] = { 
+-    "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN",
++    "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN", "MS_MAP_ENV_PATTERN",
++    "MS_MAP_BAD_PATTERN", "MS_MAP_ENV_BAD_PATTERN",
+      NULL /* guard */ };
+   for( int i = 0; apszEnvVars[i] != NULL; ++i ) {
+     const char* value = getenv(apszEnvVars[i]);
+--- a/mapserver.h
++++ b/mapserver.h
+@@ -2159,7 +2159,9 @@ void msPopulateTextSymbolForLabelAndStri
+   MS_DLL_EXPORT char *msWriteReferenceMapToString(referenceMapObj *ref);
+   MS_DLL_EXPORT char *msWriteLegendToString(legendObj *legend);
+   MS_DLL_EXPORT char *msWriteClusterToString(clusterObj *cluster);
++  MS_DLL_EXPORT int msIsValidRegex(const char* e);
+   MS_DLL_EXPORT int msEvalRegex(const char *e, const char *s);
++  MS_DLL_EXPORT int msCaseEvalRegex(const char *e, const char *s);
+ #ifdef USE_MSFREE
+   MS_DLL_EXPORT void msFree(void *p);
+ #else
+--- a/mapservutil.c
++++ b/mapservutil.c
+@@ -199,41 +199,67 @@ mapObj *msCGILoadMap(mapservObj *mapserv
+   int i, j;
+   mapObj *map = NULL;
+ 
++  const char *ms_map_bad_pattern_default = "[/\\]{2}|[/\\]?\\.+[/\\]|,";
++  const char *ms_map_env_bad_pattern_default = "^(AUTH_.*|CERT_.*|CONTENT_(LENGTH|TYPE)|DOCUMENT_(ROOT|URI)|GATEWAY_INTERFACE|HTTP.*|QUERY_STRING|PATH_(INFO|TRANSLATED)|REMOTE_.*|REQUEST_(METHOD|URI)|SCRIPT_(FILENAME|NAME)|SERVER_.*)";
++
++  int ms_mapfile_tainted = MS_TRUE;
+   const char *ms_mapfile = CPLGetConfigOption("MS_MAPFILE", NULL);
++
+   const char *ms_map_no_path = CPLGetConfigOption("MS_MAP_NO_PATH", NULL);
+   const char *ms_map_pattern = CPLGetConfigOption("MS_MAP_PATTERN", NULL);
++  const char *ms_map_env_pattern = CPLGetConfigOption("MS_MAP_ENV_PATTERN", NULL);
++
++  const char *ms_map_bad_pattern = CPLGetConfigOption("MS_MAP_BAD_PATTERN", NULL);
++  if(ms_map_bad_pattern == NULL) ms_map_bad_pattern = ms_map_bad_pattern_default;
++
++  const char *ms_map_env_bad_pattern = CPLGetConfigOption("MS_MAP_ENV_BAD_PATTERN", NULL);
++  if(ms_map_env_bad_pattern == NULL) ms_map_env_bad_pattern = ms_map_env_bad_pattern_default;
+ 
+   for(i=0; i<mapserv->request->NumParams; i++) /* find the mapfile parameter first */
+     if(strcasecmp(mapserv->request->ParamNames[i], "map") == 0) break;
+ 
+   if(i == mapserv->request->NumParams) {
+-    if(ms_mapfile != NULL) {
+-      map = msLoadMap(ms_mapfile,NULL);
+-    } else {
++    if(ms_mapfile == NULL) {
+       msSetError(MS_WEBERR, "CGI variable \"map\" is not set.", "msCGILoadMap()"); /* no default, outta here */
+       return NULL;
+     }
++    ms_mapfile_tainted = MS_FALSE;
+   } else {
+-    if(getenv(mapserv->request->ParamValues[i])) /* an environment variable references the actual file to use */
+-      map = msLoadMap(getenv(mapserv->request->ParamValues[i]), NULL);
+-    else {
+-      /* by here we know the request isn't for something in an environment variable */
+-      if(ms_map_no_path != NULL) {
+-        msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "msCGILoadMap()");
++    if(getenv(mapserv->request->ParamValues[i])) { /* an environment variable references the actual file to use */
++      /* validate env variable name */
++      if(msIsValidRegex(ms_map_env_bad_pattern) == MS_FALSE || msCaseEvalRegex(ms_map_env_bad_pattern, mapserv->request->ParamValues[i]) == MS_TRUE) {
++        msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
+         return NULL;
+       }
+-
+-      if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) {
+-        msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "msCGILoadMap()");
++      if(ms_map_env_pattern != NULL && msEvalRegex(ms_map_env_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) {
++        msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
++        return NULL;
++      }
++      ms_mapfile = getenv(mapserv->request->ParamValues[i]);
++    } else {
++      /* by now we know the request isn't for something in an environment variable */
++      if(ms_map_no_path != NULL) {
++        msSetError(MS_WEBERR, "CGI variable \"map\" not found in environment and this server is not configured for full paths.", "msCGILoadMap()");
+         return NULL;
+       }
++      ms_mapfile = mapserv->request->ParamValues[i];
++    }
++  }
+ 
+-      /* ok to try to load now */
+-      map = msLoadMap(mapserv->request->ParamValues[i], NULL);
++  /* validate ms_mapfile if tainted */
++  if(ms_mapfile_tainted == MS_TRUE) {
++    if(msIsValidRegex(ms_map_bad_pattern) == MS_FALSE || msEvalRegex(ms_map_bad_pattern, ms_mapfile) == MS_TRUE) {
++      msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
++      return NULL;
++    }
++    if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, ms_mapfile) != MS_TRUE) {
++      msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
++      return NULL;
+     }
+   }
+-  
+ 
++  /* ok to try to load now */
++  map = msLoadMap(ms_mapfile, NULL);
+   if(!map) return NULL;
+ 
+   if(!msLookupHashTable(&(map->web.validation), "immutable")) {


=====================================
debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch
=====================================
@@ -0,0 +1,107 @@
+Description: Use CPLSetConfigOption/CPLGetConfigOption for some CGI/FastCGI-related env vars.
+ Push a few high-value env vars into CPL config and then reference that instead of the env (mostly for IIS/FastCGI).
+Author: Steve Lime <steve.lime at state.mn.us>
+Origin: https://github.com/MapServer/MapServer/commit/b128dace3ec3e61bf063f7285d1279e9f9fd9e28
+Bug: https://github.com/MapServer/MapServer/pull/6304
+
+--- a/maphttp.c
++++ b/maphttp.c
+@@ -39,7 +39,7 @@
+ #include "mapthread.h"
+ #include "mapows.h"
+ 
+-
++#include "cpl_conv.h"
+ 
+ #include <time.h>
+ #ifndef _WIN32
+@@ -471,7 +471,7 @@ int msHTTPExecuteRequests(httpRequestObj
+    * If set then the value is the full path to the ca-bundle.crt file
+    * e.g. CURL_CA_BUNDLE=/usr/local/share/curl/curl-ca-bundle.crt
+    */
+-  pszCurlCABundle = getenv("CURL_CA_BUNDLE");
++  pszCurlCABundle = CPLGetConfigOption("CURL_CA_BUNDLE", NULL);
+ 
+   if (debug) {
+     msDebug("HTTP: Starting to prepare HTTP requests.\n");
+--- a/mapserv.c
++++ b/mapserv.c
+@@ -43,6 +43,8 @@
+ #include "mapio.h"
+ #include "maptime.h"
+ 
++#include "cpl_conv.h"
++
+ #ifndef WIN32
+ #include <signal.h>
+ #endif
+@@ -162,6 +164,15 @@ int main(int argc, char *argv[])
+   if(msGetGlobalDebugLevel() >= MS_DEBUGLEVEL_TUNING)
+     msGettimeofday(&execstarttime, NULL);
+ 
++  /* push high-value ENV vars into the CPL global config - primarily for IIS/FastCGI */
++  const char* const apszEnvVars[] = { 
++    "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN",
++     NULL /* guard */ };
++  for( int i = 0; apszEnvVars[i] != NULL; ++i ) {
++    const char* value = getenv(apszEnvVars[i]);
++    if(value) CPLSetConfigOption(apszEnvVars[i], value);
++  }
++
+   /* -------------------------------------------------------------------- */
+   /*      Process arguments.  In normal use as a cgi-bin there are no     */
+   /*      commandline switches, but we provide a few for test/debug       */
+--- a/mapserv.h
++++ b/mapserv.h
+@@ -41,6 +41,7 @@
+ #include "maptile.h"
+ 
+ #include "cgiutil.h"
++
+ /*
+ ** Defines
+ */
+--- a/mapservutil.c
++++ b/mapservutil.c
+@@ -33,6 +33,8 @@
+ #include "maptime.h"
+ #include "mapows.h"
+ 
++#include "cpl_conv.h"
++
+ /*
+ ** Enumerated types, keep the query modes in sequence and at the end of the enumeration (mode enumeration is in maptemplate.h).
+ */
+@@ -197,12 +199,15 @@ mapObj *msCGILoadMap(mapservObj *mapserv
+   int i, j;
+   mapObj *map = NULL;
+ 
++  const char *ms_mapfile = CPLGetConfigOption("MS_MAPFILE", NULL);
++  const char *ms_map_no_path = CPLGetConfigOption("MS_MAP_NO_PATH", NULL);
++  const char *ms_map_pattern = CPLGetConfigOption("MS_MAP_PATTERN", NULL);
++
+   for(i=0; i<mapserv->request->NumParams; i++) /* find the mapfile parameter first */
+     if(strcasecmp(mapserv->request->ParamNames[i], "map") == 0) break;
+ 
+   if(i == mapserv->request->NumParams) {
+-    char *ms_mapfile = getenv("MS_MAPFILE");
+-    if(ms_mapfile) {
++    if(ms_mapfile != NULL) {
+       map = msLoadMap(ms_mapfile,NULL);
+     } else {
+       msSetError(MS_WEBERR, "CGI variable \"map\" is not set.", "msCGILoadMap()"); /* no default, outta here */
+@@ -213,12 +218,12 @@ mapObj *msCGILoadMap(mapservObj *mapserv
+       map = msLoadMap(getenv(mapserv->request->ParamValues[i]), NULL);
+     else {
+       /* by here we know the request isn't for something in an environment variable */
+-      if(getenv("MS_MAP_NO_PATH")) {
++      if(ms_map_no_path != NULL) {
+         msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "msCGILoadMap()");
+         return NULL;
+       }
+ 
+-      if(getenv("MS_MAP_PATTERN") && msEvalRegex(getenv("MS_MAP_PATTERN"), mapserv->request->ParamValues[i]) != MS_TRUE) {
++      if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) {
+         msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "msCGILoadMap()");
+         return NULL;
+       }


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,5 @@
 perl-mapscript-install.patch
 java-hardening.patch
 interpreter-path.path
+0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch
+0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/3d7514a4960cb3c96b278dab89860f93c4c926b4...32e7ceb0449ddae413b9ddc4a0c0bd75e5e6dd2d

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/compare/3d7514a4960cb3c96b278dab89860f93c4c926b4...32e7ceb0449ddae413b9ddc4a0c0bd75e5e6dd2d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20210508/962e8e2c/attachment-0001.htm>


More information about the Pkg-grass-devel mailing list