[Git][debian-gis-team/mapserver][trixie] Import Debian changes 8.4.0-4+deb13u2

Mon May 4 10:46:34 BST 2026


Bas Couwenberg pushed to branch trixie at Debian GIS Project / mapserver


Commits:
de9a33da by Guilhem Moulin at 2026-05-04T11:45:40+02:00
Import Debian changes 8.4.0-4+deb13u2

mapserver (8.4.0-4+deb13u2) trixie; urgency=high
.
  * Non-maintainer upload.
  * Fix CVE-2026-33721: Heap buffer overflow in SLD `Categorize` Threshold
    parsing.
  * Add d/salsa-ci.yml for Salsa CI.

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/CVE-2026-33721.patch
- debian/patches/series
- + debian/salsa-ci.yml


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+mapserver (8.4.0-4+deb13u2) trixie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2026-33721: Heap buffer overflow in SLD `Categorize` Threshold
+    parsing.
+  * Add d/salsa-ci.yml for Salsa CI.
+
+ -- Guilhem Moulin <guilhem at debian.org>  Sun, 03 May 2026 15:37:57 +0200
+
 mapserver (8.4.0-4+deb13u1) trixie; urgency=medium
 
   * Update branch in gbp.conf & Vcs-Git URL.


=====================================
debian/patches/CVE-2026-33721.patch
=====================================
@@ -0,0 +1,29 @@
+From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com>
+Date: Mon, 23 Mar 2026 12:30:09 -0300
+Subject: msSLDParseRasterSymbolizer(): fix potential heap buffer overflow
+
+Credits to Trail of Bits and Anthropic for reporting and patch
+suggestion
+
+Co-authored-by: Even Rouault <even.rouault at spatialys.com>
+Origin: https://github.com/MapServer/MapServer/commit/fb08dad4afee081b81c57ca0c5d37c149e7755f9
+Bug: https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
+Bug: https://github.com/MapServer/MapServer/pull/7461
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-33721
+---
+ src/mapogcsld.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mapogcsld.cpp b/src/mapogcsld.cpp
+index 15ca80d..4c5ed64 100644
+--- a/src/mapogcsld.cpp
++++ b/src/mapogcsld.cpp
+@@ -2894,7 +2894,7 @@ int msSLDParseRasterSymbolizer(CPLXMLNode *psRoot, layerObj *psLayer,
+         } else if (strcasecmp(psNode->pszValue, "Threshold") == 0) {
+           papszThresholds[nThresholds] = psNode->psChild->pszValue;
+           nThresholds++;
+-          if (nValues == nMaxThreshold) {
++          if (nThresholds == nMaxThreshold) {
+             nMaxThreshold += 100;
+             papszThresholds = (char **)msSmallRealloc(
+                 papszThresholds, sizeof(char *) * nMaxThreshold);


=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@ perl-mapscript-install.patch
 java-hardening.patch
 icu.patch
 CVE-2025-59431.patch
+CVE-2026-33721.patch


=====================================
debian/salsa-ci.yml
=====================================
@@ -0,0 +1,9 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'trixie'
+  SALSA_CI_DISABLE_LINTIAN: 1
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_BLHC: 1



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/de9a33da825cb1b6ab48f5cd540db7114fa2e097

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/de9a33da825cb1b6ab48f5cd540db7114fa2e097
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20260504/0eac1f6b/attachment-0001.htm>
