Discussion:
Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Add Reply
Bas Couwenberg
2021-05-08 05:40:02 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
User: ***@packages.debian.org
Usertags: unblock

Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.

[ Reason ]
Fix security issue.

[ Impact ]
Unfixed security issue.

[ Tests ]
Upstream CI.

[ Risks ]
Low, leaf package.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.

unblock mapserver/7.6.2-2
Debian Bug Tracking System
2021-05-08 19:30:02 UTC
Reply
Permalink
tags -1 moreinfo confirmed
Bug #988224 [release.debian.org] unblock: mapserver/7.6.2-2 (pre-approval)
Added tag(s) moreinfo and confirmed.
--
988224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Sebastian Ramacher
2021-05-08 19:30:03 UTC
Reply
Permalink
Control: tags -1 moreinfo confirmed
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~

Please remove the moreinfo tag once that fixed version is available in
unstable.

Cheers
Post by Bas Couwenberg
diff -Nru mapserver-7.6.2/debian/mapserver-bin.lintian-overrides mapserver-7.6.2/debian/mapserver-bin.lintian-overrides
--- mapserver-7.6.2/debian/mapserver-bin.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/mapserver-bin.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch
--- mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-7.6.2/debian/patches/0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch 2021-05-08 07:10:49.000000000 +0200
@@ -0,0 +1,161 @@
+Description: Address flaw in CGI mapfile loading that makes it possible to bypass security controls.
+Origin: https://github.com/MapServer/MapServer/commit/927ac97cb9ece305306b5ab2b5600d3afe8c1732
+Bug: https://github.com/MapServer/MapServer/issues/6313
+Bug-Debian: https://bugs.debian.org/988208
+
+--- a/mapfile.c
++++ b/mapfile.c
+ return(MS_FAILURE);
+ }
+
++int msIsValidRegex(const char* e) {
++ ms_regex_t re;
++ if(ms_regcomp(&re, e, MS_REG_EXTENDED|MS_REG_NOSUB) != 0) {
++ msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e);
++ return(MS_FALSE);
++ }
++ ms_regfree(&re);
++ return MS_TRUE;
++}
++
+ int msEvalRegex(const char *e, const char *s)
+ {
+ ms_regex_t re;
+ msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e);
+ return(MS_FALSE);
+ }
++
++ if(ms_regexec(&re, s, 0, NULL, 0) != 0) { /* no match */
++ ms_regfree(&re);
++ return(MS_FALSE);
++ }
++ ms_regfree(&re);
++
++ return(MS_TRUE);
++}
++
++int msCaseEvalRegex(const char *e, const char *s)
++{
++ ms_regex_t re;
++
++ if(!e || !s) return(MS_FALSE);
++
++ if(ms_regcomp(&re, e, MS_REG_EXTENDED|MS_REG_ICASE|MS_REG_NOSUB) != 0) {
++ msSetError(MS_REGEXERR, "Failed to compile expression (%s).", "msEvalRegex()", e);
++ return(MS_FALSE);
++ }
+
+ if(ms_regexec(&re, s, 0, NULL, 0) != 0) { /* no match */
+ ms_regfree(&re);
+--- a/mapserv.c
++++ b/mapserv.c
+
+ /* push high-value ENV vars into the CPL global config - primarily for IIS/FastCGI */
+ const char* const apszEnvVars[] = {
+- "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN",
++ "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN", "MS_MAP_ENV_PATTERN",
++ "MS_MAP_BAD_PATTERN", "MS_MAP_ENV_BAD_PATTERN",
+ NULL /* guard */ };
+ for( int i = 0; apszEnvVars[i] != NULL; ++i ) {
+ const char* value = getenv(apszEnvVars[i]);
+--- a/mapserver.h
++++ b/mapserver.h
+ MS_DLL_EXPORT char *msWriteReferenceMapToString(referenceMapObj *ref);
+ MS_DLL_EXPORT char *msWriteLegendToString(legendObj *legend);
+ MS_DLL_EXPORT char *msWriteClusterToString(clusterObj *cluster);
++ MS_DLL_EXPORT int msIsValidRegex(const char* e);
+ MS_DLL_EXPORT int msEvalRegex(const char *e, const char *s);
++ MS_DLL_EXPORT int msCaseEvalRegex(const char *e, const char *s);
+ #ifdef USE_MSFREE
+ MS_DLL_EXPORT void msFree(void *p);
+ #else
+--- a/mapservutil.c
++++ b/mapservutil.c
+ int i, j;
+ mapObj *map = NULL;
+
++ const char *ms_map_bad_pattern_default = "[/\\]{2}|[/\\]?\\.+[/\\]|,";
++ const char *ms_map_env_bad_pattern_default = "^(AUTH_.*|CERT_.*|CONTENT_(LENGTH|TYPE)|DOCUMENT_(ROOT|URI)|GATEWAY_INTERFACE|HTTP.*|QUERY_STRING|PATH_(INFO|TRANSLATED)|REMOTE_.*|REQUEST_(METHOD|URI)|SCRIPT_(FILENAME|NAME)|SERVER_.*)";
++
++ int ms_mapfile_tainted = MS_TRUE;
+ const char *ms_mapfile = CPLGetConfigOption("MS_MAPFILE", NULL);
++
+ const char *ms_map_no_path = CPLGetConfigOption("MS_MAP_NO_PATH", NULL);
+ const char *ms_map_pattern = CPLGetConfigOption("MS_MAP_PATTERN", NULL);
++ const char *ms_map_env_pattern = CPLGetConfigOption("MS_MAP_ENV_PATTERN", NULL);
++
++ const char *ms_map_bad_pattern = CPLGetConfigOption("MS_MAP_BAD_PATTERN", NULL);
++ if(ms_map_bad_pattern == NULL) ms_map_bad_pattern = ms_map_bad_pattern_default;
++
++ const char *ms_map_env_bad_pattern = CPLGetConfigOption("MS_MAP_ENV_BAD_PATTERN", NULL);
++ if(ms_map_env_bad_pattern == NULL) ms_map_env_bad_pattern = ms_map_env_bad_pattern_default;
+
+ for(i=0; i<mapserv->request->NumParams; i++) /* find the mapfile parameter first */
+ if(strcasecmp(mapserv->request->ParamNames[i], "map") == 0) break;
+
+ if(i == mapserv->request->NumParams) {
+- if(ms_mapfile != NULL) {
+- map = msLoadMap(ms_mapfile,NULL);
+- } else {
++ if(ms_mapfile == NULL) {
+ msSetError(MS_WEBERR, "CGI variable \"map\" is not set.", "msCGILoadMap()"); /* no default, outta here */
+ return NULL;
+ }
++ ms_mapfile_tainted = MS_FALSE;
+ } else {
+- if(getenv(mapserv->request->ParamValues[i])) /* an environment variable references the actual file to use */
+- map = msLoadMap(getenv(mapserv->request->ParamValues[i]), NULL);
+- else {
+- /* by here we know the request isn't for something in an environment variable */
+- if(ms_map_no_path != NULL) {
+- msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "msCGILoadMap()");
++ if(getenv(mapserv->request->ParamValues[i])) { /* an environment variable references the actual file to use */
++ /* validate env variable name */
++ if(msIsValidRegex(ms_map_env_bad_pattern) == MS_FALSE || msCaseEvalRegex(ms_map_env_bad_pattern, mapserv->request->ParamValues[i]) == MS_TRUE) {
++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
+ return NULL;
+ }
+-
+- if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) {
+- msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "msCGILoadMap()");
++ if(ms_map_env_pattern != NULL && msEvalRegex(ms_map_env_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) {
++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
++ return NULL;
++ }
++ ms_mapfile = getenv(mapserv->request->ParamValues[i]);
++ } else {
++ /* by now we know the request isn't for something in an environment variable */
++ if(ms_map_no_path != NULL) {
++ msSetError(MS_WEBERR, "CGI variable \"map\" not found in environment and this server is not configured for full paths.", "msCGILoadMap()");
+ return NULL;
+ }
++ ms_mapfile = mapserv->request->ParamValues[i];
++ }
++ }
+
+- /* ok to try to load now */
+- map = msLoadMap(mapserv->request->ParamValues[i], NULL);
++ /* validate ms_mapfile if tainted */
++ if(ms_mapfile_tainted == MS_TRUE) {
++ if(msIsValidRegex(ms_map_bad_pattern) == MS_FALSE || msEvalRegex(ms_map_bad_pattern, ms_mapfile) == MS_TRUE) {
++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
++ return NULL;
++ }
++ if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, ms_mapfile) != MS_TRUE) {
++ msSetError(MS_WEBERR, "CGI variable \"map\" fails to validate.", "msCGILoadMap()");
++ return NULL;
+ }
+ }
+-
+
++ /* ok to try to load now */
++ map = msLoadMap(ms_mapfile, NULL);
+ if(!map) return NULL;
+
+ if(!msLookupHashTable(&(map->web.validation), "immutable")) {
diff -Nru mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch
--- mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch 1970-01-01 01:00:00.000000000 +0100
+++ mapserver-7.6.2/debian/patches/0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch 2021-05-08 07:10:49.000000000 +0200
@@ -0,0 +1,107 @@
+Description: Use CPLSetConfigOption/CPLGetConfigOption for some CGI/FastCGI-related env vars.
+ Push a few high-value env vars into CPL config and then reference that instead of the env (mostly for IIS/FastCGI).
+Origin: https://github.com/MapServer/MapServer/commit/b128dace3ec3e61bf063f7285d1279e9f9fd9e28
+Bug: https://github.com/MapServer/MapServer/pull/6304
+
+--- a/maphttp.c
++++ b/maphttp.c
+ #include "mapthread.h"
+ #include "mapows.h"
+
+-
++#include "cpl_conv.h"
+
+ #include <time.h>
+ #ifndef _WIN32
+ * If set then the value is the full path to the ca-bundle.crt file
+ * e.g. CURL_CA_BUNDLE=/usr/local/share/curl/curl-ca-bundle.crt
+ */
+- pszCurlCABundle = getenv("CURL_CA_BUNDLE");
++ pszCurlCABundle = CPLGetConfigOption("CURL_CA_BUNDLE", NULL);
+
+ if (debug) {
+ msDebug("HTTP: Starting to prepare HTTP requests.\n");
+--- a/mapserv.c
++++ b/mapserv.c
+ #include "mapio.h"
+ #include "maptime.h"
+
++#include "cpl_conv.h"
++
+ #ifndef WIN32
+ #include <signal.h>
+ #endif
+ if(msGetGlobalDebugLevel() >= MS_DEBUGLEVEL_TUNING)
+ msGettimeofday(&execstarttime, NULL);
+
++ /* push high-value ENV vars into the CPL global config - primarily for IIS/FastCGI */
++ const char* const apszEnvVars[] = {
++ "CURL_CA_BUNDLE", "MS_MAPFILE", "MS_MAP_NO_PATH", "MS_MAP_PATTERN",
++ NULL /* guard */ };
++ for( int i = 0; apszEnvVars[i] != NULL; ++i ) {
++ const char* value = getenv(apszEnvVars[i]);
++ if(value) CPLSetConfigOption(apszEnvVars[i], value);
++ }
++
+ /* -------------------------------------------------------------------- */
+ /* Process arguments. In normal use as a cgi-bin there are no */
+ /* commandline switches, but we provide a few for test/debug */
+--- a/mapserv.h
++++ b/mapserv.h
+ #include "maptile.h"
+
+ #include "cgiutil.h"
++
+ /*
+ ** Defines
+ */
+--- a/mapservutil.c
++++ b/mapservutil.c
+ #include "maptime.h"
+ #include "mapows.h"
+
++#include "cpl_conv.h"
++
+ /*
+ ** Enumerated types, keep the query modes in sequence and at the end of the enumeration (mode enumeration is in maptemplate.h).
+ */
+ int i, j;
+ mapObj *map = NULL;
+
++ const char *ms_mapfile = CPLGetConfigOption("MS_MAPFILE", NULL);
++ const char *ms_map_no_path = CPLGetConfigOption("MS_MAP_NO_PATH", NULL);
++ const char *ms_map_pattern = CPLGetConfigOption("MS_MAP_PATTERN", NULL);
++
+ for(i=0; i<mapserv->request->NumParams; i++) /* find the mapfile parameter first */
+ if(strcasecmp(mapserv->request->ParamNames[i], "map") == 0) break;
+
+ if(i == mapserv->request->NumParams) {
+- char *ms_mapfile = getenv("MS_MAPFILE");
+- if(ms_mapfile) {
++ if(ms_mapfile != NULL) {
+ map = msLoadMap(ms_mapfile,NULL);
+ } else {
+ msSetError(MS_WEBERR, "CGI variable \"map\" is not set.", "msCGILoadMap()"); /* no default, outta here */
+ map = msLoadMap(getenv(mapserv->request->ParamValues[i]), NULL);
+ else {
+ /* by here we know the request isn't for something in an environment variable */
+- if(getenv("MS_MAP_NO_PATH")) {
++ if(ms_map_no_path != NULL) {
+ msSetError(MS_WEBERR, "Mapfile not found in environment variables and this server is not configured for full paths.", "msCGILoadMap()");
+ return NULL;
+ }
+
+- if(getenv("MS_MAP_PATTERN") && msEvalRegex(getenv("MS_MAP_PATTERN"), mapserv->request->ParamValues[i]) != MS_TRUE) {
++ if(ms_map_pattern != NULL && msEvalRegex(ms_map_pattern, mapserv->request->ParamValues[i]) != MS_TRUE) {
+ msSetError(MS_WEBERR, "Parameter 'map' value fails to validate.", "msCGILoadMap()");
+ return NULL;
+ }
diff -Nru mapserver-7.6.2/debian/patches/series mapserver-7.6.2/debian/patches/series
--- mapserver-7.6.2/debian/patches/series 2020-12-08 05:49:56.000000000 +0100
+++ mapserver-7.6.2/debian/patches/series 2021-05-08 07:10:49.000000000 +0200
@@ -1,3 +1,5 @@
perl-mapscript-install.patch
java-hardening.patch
interpreter-path.path
+0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch
+0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch
--
Sebastian Ramacher
Sebastiaan Couwenberg
2021-05-08 20:30:02 UTC
Reply
Permalink
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.

Kind Regards,

Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Sebastian Ramacher
2021-05-25 08:00:02 UTC
Reply
Permalink
Control: tags -1 moreinfo
Post by Sebastiaan Couwenberg
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.

Cheers
Post by Sebastiaan Couwenberg
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
--
Sebastian Ramacher
Sebastiaan Couwenberg
2021-05-25 08:10:02 UTC
Reply
Permalink
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).

None of the other binary packages require symbols introduced after 7.0.5.

All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.

While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
There is no need for further changes in unstable.

Kind Regards,

Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Salvatore Bonaccorso
2021-05-30 19:20:02 UTC
Reply
Permalink
Sebastiaan, Sebastian,
Post by Sebastiaan Couwenberg
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).
None of the other binary packages require symbols introduced after 7.0.5.
All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.
While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
There is no need for further changes in unstable.
Sebastian (the release team member), is there anything from the above
which you still want the maintainer to be adressed? Sebastiaan, my
unerstanding is that Sebastian wuld like to see the above changes done
for mapserver to be unblocked.

Regards,
Salvatore
Sebastiaan Couwenberg
2021-05-31 03:50:01 UTC
Reply
Permalink
Post by Salvatore Bonaccorso
Sebastiaan, Sebastian,
Post by Sebastiaan Couwenberg
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).
None of the other binary packages require symbols introduced after 7.0.5.
All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.
While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
There is no need for further changes in unstable.
Sebastian (the release team member), is there anything from the above
which you still want the maintainer to be adressed? Sebastiaan, my
unerstanding is that Sebastian wuld like to see the above changes done
for mapserver to be unblocked.
That's my understanding too, but the additional information provided
should make clear that those changes are not required.

Kind Regards,

Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Sebastian Ramacher
2021-05-31 06:20:02 UTC
Reply
Permalink
Post by Sebastiaan Couwenberg
Post by Salvatore Bonaccorso
Sebastiaan, Sebastian,
Post by Sebastiaan Couwenberg
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).
None of the other binary packages require symbols introduced after 7.0.5.
All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.
While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
There is no need for further changes in unstable.
Sebastian (the release team member), is there anything from the above
which you still want the maintainer to be adressed? Sebastiaan, my
unerstanding is that Sebastian wuld like to see the above changes done
for mapserver to be unblocked.
That's my understanding too, but the additional information provided
should make clear that those changes are not required.
Post by Salvatore Bonaccorso
Post by Sebastiaan Couwenberg
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
I want these symbols fixed.

Cheers
--
Sebastian Ramacher
Sebastiaan Couwenberg
2021-05-31 06:30:02 UTC
Reply
Permalink
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Salvatore Bonaccorso
Sebastiaan, Sebastian,
Post by Sebastiaan Couwenberg
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).
None of the other binary packages require symbols introduced after 7.0.5.
All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.
While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
There is no need for further changes in unstable.
Sebastian (the release team member), is there anything from the above
which you still want the maintainer to be adressed? Sebastiaan, my
unerstanding is that Sebastian wuld like to see the above changes done
for mapserver to be unblocked.
That's my understanding too, but the additional information provided
should make clear that those changes are not required.
There is no message #24 in #988224.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Salvatore Bonaccorso
Post by Sebastiaan Couwenberg
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
I want these symbols fixed.
There is no need for that.

Perhaps we should just close this issue as wontfix, I'm not going to
change the symbols version for pedantic reasons.

Kind Regards,

Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Sebastian Ramacher
2021-05-31 06:40:01 UTC
Reply
Permalink
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Salvatore Bonaccorso
Sebastiaan, Sebastian,
Post by Sebastiaan Couwenberg
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).
None of the other binary packages require symbols introduced after 7.0.5.
All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.
While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
There is no need for further changes in unstable.
Sebastian (the release team member), is there anything from the above
which you still want the maintainer to be adressed? Sebastiaan, my
unerstanding is that Sebastian wuld like to see the above changes done
for mapserver to be unblocked.
That's my understanding too, but the additional information provided
should make clear that those changes are not required.
There is no message #24 in #988224.
Sorry, #26: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224#26
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Salvatore Bonaccorso
Post by Sebastiaan Couwenberg
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
I want these symbols fixed.
There is no need for that.
Perhaps we should just close this issue as wontfix, I'm not going to
change the symbols version for pedantic reasons.
If you are unwilling to fix a potential RC bug waiting to happen, then
yes, let's close it.

Cheers
Post by Sebastiaan Couwenberg
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
--
Sebastian Ramacher
Sebastiaan Couwenberg
2021-05-31 07:10:01 UTC
Reply
Permalink
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Salvatore Bonaccorso
Sebastiaan, Sebastian,
Post by Sebastiaan Couwenberg
Control: tags -1 - moreinfo
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Bas Couwenberg
Package: release.debian.org
Severity: normal
Usertags: unblock
Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
[ Reason ]
Fix security issue.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream CI.
[ Risks ]
Low, leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
unblock mapserver/7.6.2-2
diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
--- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
+++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
@@ -1,3 +1,12 @@
+mapserver (7.6.2-2) unstable; urgency=high
+
+ * Drop unused lintian overrides.
+ * Add upstream patches to fix CVE-2021-32062.
+ (closes: #988208)
+ * Update symbols file.
+
+
mapserver (7.6.2-1) unstable; urgency=medium
* Update symbols for other architectures.
diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
--- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
+++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Cannot easily be fixed
-file-references-package-build-path *
-
diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
--- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
+++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
@@ -945,6 +945,7 @@
@@ -1418,6 +1419,7 @@
This version is not high enough. The symbols need to be marked as
requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
It's technically wrong. If you introduce symbols with a patch, the
symbols need to be properly versioned. After all, there is a user of the
symbols file and that is mapserver itself. If you have to introduce
calls to those two symbols outside of libmapserver in the next patch,
the dependency on libmapserver is wrong.
libmapserver-dev already depends on libmapserver2 with (=
${binary:Version}).
None of the other binary packages require symbols introduced after 7.0.5.
All the code using msCaseEvalRegex & msIsValidRegex is within
libmapserver itself.
While strictly speaking the version in the symbols file should include
the revision, its not required in this case because nothing outside
libmapserver uses it.
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
There is no need for further changes in unstable.
Sebastian (the release team member), is there anything from the above
which you still want the maintainer to be adressed? Sebastiaan, my
unerstanding is that Sebastian wuld like to see the above changes done
for mapserver to be unblocked.
That's my understanding too, but the additional information provided
should make clear that those changes are not required.
There is no message #24 in #988224.
Sorry, #26: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224#26
And my reply to that is #33:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224#33
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Sebastian Ramacher
Post by Sebastiaan Couwenberg
Post by Salvatore Bonaccorso
Post by Sebastiaan Couwenberg
Please remove the moreinfo tag once that fixed version is available in
unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Again, please remove the moreinfo tag only once a fixed version is
available in unstable.
I want these symbols fixed.
There is no need for that.
Perhaps we should just close this issue as wontfix, I'm not going to
change the symbols version for pedantic reasons.
If you are unwilling to fix a potential RC bug waiting to happen, then
yes, let's close it.
Your "potential RC bug waiting to happen" is entirely hypothetical, the
two symbols are publicly exported and as such the version in the symbols
file should include the Debian revision per the dpkg-gensymbols
documentation [0] (which should also avoid the
symbols-file-contains-debian-revision lintian issue).

But because there are no users of these two symbols outside
libmapserver, not even other binary packages built from the mapserver
source package as you were expecting, adding the Debian revision is not
required. Insisting on having the Debian revision in the symbols version
with that knowledge is just being pedantic.

I regret the time spent on this (minor) security issue to not have it
affect the upcoming stable release. In retrospect I shouldn't have
bothered for a no-dsa issue.

[0]
https://manpages.debian.org/buster/dpkg-dev/dpkg-gensymbols.1.en.html#MAINTAINING_SYMBOLS_FILES


Kind Regards,

Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Debian Bug Tracking System
2021-05-08 20:30:02 UTC
Reply
Permalink
tags -1 - moreinfo
Bug #988224 [release.debian.org] unblock: mapserver/7.6.2-2 (pre-approval)
Removed tag(s) moreinfo.
--
988224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2021-05-25 08:00:02 UTC
Reply
Permalink
tags -1 moreinfo
Bug #988224 [release.debian.org] unblock: mapserver/7.6.2-2 (pre-approval)
Added tag(s) moreinfo.
--
988224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2021-05-25 08:10:02 UTC
Reply
Permalink
tags -1 - moreinfo
Bug #988224 [release.debian.org] unblock: mapserver/7.6.2-2 (pre-approval)
Removed tag(s) moreinfo.
--
988224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988224
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...