...
 
Commits (4)
mapserver (6.4.1-2ubuntu0.1) trusty-security; urgency=medium
* Non-maintainer upload.
* Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522.
(LP: #1648998)
-- Bas Couwenberg <sebastic@debian.org> Wed, 18 Jan 2017 23:18:47 +0100
mapserver (6.4.1-2) unstable; urgency=low
* Add gpb.conf to use pristine-tar by default.
......
Source: mapserver
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
XSBC-Original-Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Uploaders: Francesco Paolo Lovergine <frankie@debian.org>,
Alan Boudreault <aboudreault@mapgears.com>,
Bas Couwenberg <sebastic@xs4all.nl>
......
Description: Backport #4928 and #5356
Author: Thomas Bonfort <thomas.bonfort@gmail.com>
Origin: https://github.com/mapserver/mapserver/commit/022d24bd34196b6dca67053fb797a6980210bc54
--- a/mapogr.cpp
+++ b/mapogr.cpp
@@ -1118,18 +1118,15 @@ msOGRFileOpen(layerObj *layer, const cha
RELEASE_OGR_LOCK;
if( hDS == NULL ) {
- if( strlen(CPLGetLastErrorMsg()) == 0 )
- msSetError(MS_OGRERR,
- "Open failed for OGR connection in layer `%s'. "
- "File not found or unsupported format.",
- "msOGRFileOpen()",
- layer->name?layer->name:"(null)" );
- else
- msSetError(MS_OGRERR,
- "Open failed for OGR connection in layer `%s'.\n%s\n",
- "msOGRFileOpen()",
- layer->name?layer->name:"(null)",
- CPLGetLastErrorMsg() );
+ msSetError(MS_OGRERR,
+ "Open failed for OGR connection in layer `%s'. "
+ "Check logs.",
+ "msOGRFileOpen()",
+ layer->name?layer->name:"(null)" );
+ if( strlen(CPLGetLastErrorMsg()) != 0 )
+ msDebug("Open failed for OGR connection in layer `%s'.\n%s\n",
+ layer->name?layer->name:"(null)",
+ CPLGetLastErrorMsg() );
CPLFree( pszDSName );
CPLFree( pszLayerDef );
return NULL;
@@ -1154,10 +1151,13 @@ msOGRFileOpen(layerObj *layer, const cha
ACQUIRE_OGR_LOCK;
hLayer = OGR_DS_ExecuteSQL( hDS, pszLayerDef, NULL, NULL );
if( hLayer == NULL ) {
- msSetError(MS_OGRERR,
- "ExecuteSQL(%s) failed.\n%s",
- "msOGRFileOpen()",
- pszLayerDef, CPLGetLastErrorMsg() );
+ msSetError(MS_OGRERR,
+ "ExecuteSQL(%s) failed. Check logs",
+ "msOGRFileOpen()",
+ pszLayerDef);
+ msDebug(
+ "ExecuteSQL(%s) failed.\n%s",
+ pszLayerDef, CPLGetLastErrorMsg() );
RELEASE_OGR_LOCK;
msConnPoolRelease( layer, hDS );
CPLFree( pszLayerDef );
@@ -1189,9 +1189,11 @@ msOGRFileOpen(layerObj *layer, const cha
}
if (hLayer == NULL) {
- msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection `%s'.",
- "msOGRFileOpen()",
- pszLayerDef, connection );
+ msSetError(MS_OGRERR, "GetLayer(%s) failed for OGR connection. Check logs.",
+ "msOGRFileOpen()",
+ pszLayerDef);
+ msDebug("GetLayer(%s) failed for OGR connection `%s'.",
+ pszLayerDef, connection );
CPLFree( pszLayerDef );
msConnPoolRelease( layer, hDS );
return NULL;
@@ -1356,10 +1358,12 @@ static int msOGRFileWhichShapes(layerObj
if( OGR_L_SetAttributeFilter( psInfo->hLayer, layer->filter.string+6 )
!= OGRERR_NONE ) {
msSetError(MS_OGRERR,
- "SetAttributeFilter(%s) failed on layer %s.\n%s",
+ "SetAttributeFilter(%s) failed on layer %s.",
"msOGRFileWhichShapes()",
- layer->filter.string+6, layer->name?layer->name:"(null)",
- CPLGetLastErrorMsg() );
+ layer->filter.string+6, layer->name?layer->name:"(null)");
+ msDebug("SetAttributeFilter(%s) failed on layer %s.\n%s",
+ layer->filter.string+6, layer->name?layer->name:"(null)",
+ CPLGetLastErrorMsg() );
RELEASE_OGR_LOCK;
return MS_FAILURE;
}
@@ -1562,8 +1566,8 @@ msOGRFileNextShape(layerObj *layer, shap
if( (hFeature = OGR_L_GetNextFeature( psInfo->hLayer )) == NULL ) {
psInfo->last_record_index_read = -1;
if( CPLGetLastErrorType() == CE_Failure ) {
- msSetError(MS_OGRERR, "%s", "msOGRFileNextShape()",
- CPLGetLastErrorMsg() );
+ msSetError(MS_OGRERR, "OGR error. check logs", "msOGRFileNextShape()");
+ msDebug("msOGRFileNextShape() error: %s", CPLGetLastErrorMsg() );
RELEASE_OGR_LOCK;
return MS_FAILURE;
} else {
--- a/mappostgis.c
+++ b/mappostgis.c
@@ -2305,7 +2305,8 @@ int msPostGISLayerOpen(layerObj *layer)
}
}
- msSetError(MS_QUERYERR, "Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn), maskeddata);
+ msDebug("Database connection failed (%s) with connect string '%s'\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?.\n", PQerrorMessage(layerinfo->pgconn), maskeddata);
+ msSetError(MS_QUERYERR, "Database connection failed.\nIs the database running? Is it allowing connections? Does the specified user exist? Is the password valid? Is the database on the standard port?", "msPostGISLayerOpen()");
free(maskeddata);
free(layerinfo);
@@ -2327,7 +2328,6 @@ int msPostGISLayerOpen(layerObj *layer)
msSetError(MS_QUERYERR, "PostgreSQL database connection gone bad (%s)", "msPostGISLayerOpen()", PQerrorMessage(layerinfo->pgconn));
return MS_FAILURE;
}
-
}
}
Description: security fix (patch by EvenR)
Fixes CVE-2017-5522 (stack buffer overflow)
Author: Even Rouault <even.rouault@spatialys.com>
Origin: https://github.com/mapserver/mapserver/commit/fb00f8149898fcf9fcb490a179984e481248f066
https://github.com/mapserver/mapserver/commit/f096b132e58cdfe2714ce372e9f4f7c76d72c5ec
--- a/mapogcfilter.c
+++ b/mapogcfilter.c
@@ -2852,7 +2852,9 @@ char *FLTGetIsLikeComparisonExpression(F
pszValue = psFilterNode->psRightNode->pszValue;
nLength = strlen(pszValue);
-
+ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
+ return NULL;
+
iTmp =0;
if (nLength > 0 && pszValue[0] != pszWild[0] &&
pszValue[0] != pszSingle[0] &&
--- a/mapogcfiltercommon.c
+++ b/mapogcfiltercommon.c
@@ -93,6 +93,8 @@ char *FLTGetIsLikeComparisonCommonExpres
pszValue = psFilterNode->psRightNode->pszValue;
nLength = strlen(pszValue);
+ if( 1 + 2 * nLength + 1 + 1 >= sizeof(szTmp) )
+ return NULL;
iTmp =0;
if (nLength > 0 && pszValue[0] != pszWild[0] &&
......@@ -4,3 +4,5 @@ perl-mapscript-install.patch
ruby-mapscript-install.patch
cmake-mapserver-export.patch
cmake-ruby2.patch
CVE-2016-9839.patch
CVE-2017-5522.patch