Bug#1135608: trixie-pu: package mapserver/8.4.0-4+deb13u2

Guilhem Moulin guilhem at debian.org
Sun May 3 15:37:57 BST 2026 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: mapserver at packages.debian.org, security at debian.org
Control: affects -1 + src:mapserver
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]

Fix <no-dsa> issue CVE-2026-33721.

[ Impact ]

Users will remain vulnerable to CVE-2026-33721, and will regress when
upgrading (a fix was uploaded to Bullseye LTS and Bookworm modulo os-pu
bug #1131735).

[ Tests ]

POC at https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
and manual msautotests run.

[ Risks ]

Trivial fix.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Fix CVE-2026-33721: Heap buffer overflow in Styled Layer Descriptor
    (SLD) `Categorize` Threshold parsing.
  * Add d/salsa-ci.yml for Salsa CI.

[ Other info ]

Debusine results: https://debusine.debian.net/debian/developers/work-request/659132/
Tags and individual commits can be found on the LTS team fork:
https://salsa.debian.org/lts-team/packages/mapserver/-/commits/debian/trixie?ref_type=heads

-- 
Guilhem.
-------------- next part --------------
diffstat for mapserver-8.4.0 mapserver-8.4.0

 changelog                    |    9 +++++++++
 patches/CVE-2026-33721.patch |   29 +++++++++++++++++++++++++++++
 patches/series               |    1 +
 salsa-ci.yml                 |    9 +++++++++
 4 files changed, 48 insertions(+)

diff -Nru mapserver-8.4.0/debian/changelog mapserver-8.4.0/debian/changelog
--- mapserver-8.4.0/debian/changelog	2025-09-22 00:31:40.000000000 +0200
+++ mapserver-8.4.0/debian/changelog	2026-05-03 15:37:57.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (8.4.0-4+deb13u2) trixie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2026-33721: Heap buffer overflow in SLD `Categorize` Threshold
+    parsing.
+  * Add d/salsa-ci.yml for Salsa CI.
+
+ -- Guilhem Moulin <guilhem at debian.org>  Sun, 03 May 2026 15:37:57 +0200
+
 mapserver (8.4.0-4+deb13u1) trixie; urgency=medium
 
   * Update branch in gbp.conf & Vcs-Git URL.
diff -Nru mapserver-8.4.0/debian/patches/CVE-2026-33721.patch mapserver-8.4.0/debian/patches/CVE-2026-33721.patch
--- mapserver-8.4.0/debian/patches/CVE-2026-33721.patch	1970-01-01 01:00:00.000000000 +0100
+++ mapserver-8.4.0/debian/patches/CVE-2026-33721.patch	2026-05-03 15:37:57.000000000 +0200
@@ -0,0 +1,29 @@
+From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com>
+Date: Mon, 23 Mar 2026 12:30:09 -0300
+Subject: msSLDParseRasterSymbolizer(): fix potential heap buffer overflow
+
+Credits to Trail of Bits and Anthropic for reporting and patch
+suggestion
+
+Co-authored-by: Even Rouault <even.rouault at spatialys.com>
+Origin: https://github.com/MapServer/MapServer/commit/fb08dad4afee081b81c57ca0c5d37c149e7755f9
+Bug: https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
+Bug: https://github.com/MapServer/MapServer/pull/7461
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-33721
+---
+ src/mapogcsld.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mapogcsld.cpp b/src/mapogcsld.cpp
+index 15ca80d..4c5ed64 100644
+--- a/src/mapogcsld.cpp
++++ b/src/mapogcsld.cpp
+@@ -2894,7 +2894,7 @@ int msSLDParseRasterSymbolizer(CPLXMLNode *psRoot, layerObj *psLayer,
+         } else if (strcasecmp(psNode->pszValue, "Threshold") == 0) {
+           papszThresholds[nThresholds] = psNode->psChild->pszValue;
+           nThresholds++;
+-          if (nValues == nMaxThreshold) {
++          if (nThresholds == nMaxThreshold) {
+             nMaxThreshold += 100;
+             papszThresholds = (char **)msSmallRealloc(
+                 papszThresholds, sizeof(char *) * nMaxThreshold);
diff -Nru mapserver-8.4.0/debian/patches/series mapserver-8.4.0/debian/patches/series
--- mapserver-8.4.0/debian/patches/series	2025-09-22 00:31:40.000000000 +0200
+++ mapserver-8.4.0/debian/patches/series	2026-05-03 15:37:57.000000000 +0200
@@ -2,3 +2,4 @@
 java-hardening.patch
 icu.patch
 CVE-2025-59431.patch
+CVE-2026-33721.patch
diff -Nru mapserver-8.4.0/debian/salsa-ci.yml mapserver-8.4.0/debian/salsa-ci.yml
--- mapserver-8.4.0/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ mapserver-8.4.0/debian/salsa-ci.yml	2026-05-03 15:37:57.000000000 +0200
@@ -0,0 +1,9 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'trixie'
+  SALSA_CI_DISABLE_LINTIAN: 1
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_BLHC: 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20260503/337c7d32/attachment.sig>

More information about the Pkg-grass-devel mailing list