Ubuntu
mapserver package

buffer overflow + insecure mapserv CGI command-line debug args

Bug #603593 reported by Alan Boudreault on 2010-07-09

264

This bug affects 2 people

	Status	Importance	Assigned to
mapserver (Ubuntu)	Fix Released	Critical	Unassigned
Hardy	Fix Released	Undecided	Unassigned
Karmic	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Unassigned
Maverick	Fix Released	Critical	Unassigned

Bug Description

There are two important security bugs in mapserver,

- Buffer overflow in msTmpFile(): http://trac.osgeo.org/mapserver/ticket/3484
- Insecure mapserv CGI command-line debug args: http://trac.osgeo.org/mapserver/ticket/3485

I'm going to create the security fixes for hardy, karmic and lucid.

Tags:

Related branches

lp:ubuntu/lucid-security/mapserver

lp:ubuntu/hardy-security/mapserver

lp:ubuntu/karmic-security/mapserver

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-07-09:

Alan, thanks for the heads up and your work on this! When submitting debdiffs please follow https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors to make sure your patches are published in a timely manner. Thanks!

visibility:	private → public
Changed in mapserver (Ubuntu Lucid):
status:	New → Confirmed
Changed in mapserver (Ubuntu Maverick):
status:	New → Confirmed
Changed in mapserver (Ubuntu Hardy):
status:	New → Confirmed
Changed in mapserver (Ubuntu Karmic):
status:	New → Confirmed

Revision history for this message

Alan Boudreault (aboudreault) wrote on 2010-07-09:

debdiff for hardy Edit (487.9 KiB, text/plain)

Here the sec update for hardy. Build tested on a clean environment

Revision history for this message

Alan Boudreault (aboudreault) wrote on 2010-07-09:

debdiff for karmic Edit (12.8 KiB, text/plain)

Here's the sec update for karmic. Build tested on a clean environment

Revision history for this message

Alan Boudreault (aboudreault) wrote on 2010-07-09:

debdiff for lucid Edit (12.7 KiB, text/plain)

Here's the sec update for lucid. Build tested on a clean environment

Revision history for this message

Alan Boudreault (aboudreault) wrote on 2010-07-09:

We are going to upload MapServer 5.6.4 release in Debian Unstable today. After, Maverick will have to synchronized with debian. I'll add a comment here as soon as the 5.6.4 release is ready to be synched.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-07-09:

Subscribing ubuntu-security-sponsors as per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-07-09:

ACK for hardy, karmic and lucid, though it's too bad we needed autoconf changes for this (patch is huge). Alan, in the future, please use 'LP: #...' instead of 'LP #...'. Launchpad won't autoclose bugs without the colon. I've fixed it for the upload.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-07-09:

I've uploaded these to the security queue.

Changed in mapserver (Ubuntu Lucid):
status:	Confirmed → Fix Committed
Changed in mapserver (Ubuntu Hardy):
status:	Confirmed → Fix Committed
Changed in mapserver (Ubuntu Karmic):
status:	Confirmed → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-07-09:

This bug was fixed in the package mapserver - 5.6.1-1ubuntu1.1

---------------
mapserver (5.6.1-1ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: Buffer overflow in msTmpFile function (LP: #603593)
    - debian/patches/01_mstmpfile.dpatch: Fix the buffer overflow.
    [http://trac.osgeo.org/mapserver/ticket/3484]
  * SECURITY UPDATE: Insecure CGI command-line debug args (LP: #603593)
    - debian/patches/02_cl_debug_args.dpatch: Disable insecure mapserv
      CGI command-line debug args.
    [http://trac.osgeo.org/mapserver/ticket/3485]
-- Alan Boudreault <email address hidden> Fri, 09 Jul 2010 09:36:30 -0400

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-07-09:

#10

This bug was fixed in the package mapserver - 5.4.2-1ubuntu0.1

---------------
mapserver (5.4.2-1ubuntu0.1) karmic-security; urgency=low

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-07-09:

#11

This bug was fixed in the package mapserver - 5.0.0-3ubuntu0.2

---------------
mapserver (5.0.0-3ubuntu0.2) hardy-security; urgency=low

  * SECURITY UPDATE: Buffer overflow in msTmpFile function (LP: #603593)
    - debian/patches/07_mstmpfile.dpatch: Fix the buffer overflow.
    [http://trac.osgeo.org/mapserver/ticket/3484]
  * SECURITY UPDATE: Insecure CGI command-line debug args (LP: #603593)
    - debian/patches/08_cl_debug_args.dpatch: Disable insecure mapserv
      CGI command-line debug args.
    [http://trac.osgeo.org/mapserver/ticket/3485]
-- Alan Boudreault <email address hidden> Fri, 09 Jul 2010 09:36:30 -0400

Changed in mapserver (Ubuntu Hardy):
status:	Fix Committed → Fix Released
Changed in mapserver (Ubuntu Karmic):
status:	Fix Committed → Fix Released
Changed in mapserver (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Brian Murray (brian-murray) on 2010-07-09

tags:

added: patch

Revision history for this message

Alan Boudreault (aboudreault) wrote on 2010-07-12:

#12

Right, I took a note about the "LP: #..." hint. Thanks a lot for those quick uploads.

Revision history for this message

Adam Guthrie (therigu) wrote on 2010-07-12:

#13

Marking as patch-accepted-upstream as patches are SRU patches originating from upstream and released in 5.6.4

tags:

added: patch-accepted-upstream

Revision history for this message

Alan Boudreault (aboudreault) wrote on 2010-07-20:

#14

Please, synchronize mapserver 5.6.5 from debian unstable to Ubuntu Maverick. This release includes sec patches. At the same time, please close that bug: https://bugs.launchpad.net/bugs/607281 (which is asking for that sync too)

Robbie Williamson (robbiew) on 2010-07-29

Changed in mapserver (Ubuntu Maverick):
importance:	Undecided → High
importance:	High → Critical

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-08-04:

#15

This was fixed in maverick some time ago:

mapserver (5.6.5-1) unstable; urgency=low

* New upstream release with an important bug fix about scale calculation.
* Added OGC SOS server support.

mapserver (5.6.4-1) unstable; urgency=high

  [ Alan Boudreault ]
  * New upstream release, with important security bug fixes.
  * Fix Buffer overflow in msTmpFile function.
    [http://trac.osgeo.org/mapserver/ticket/3484]
  * Fix insecure mapserv CGI command-line debug args.
    [http://trac.osgeo.org/mapserver/ticket/3485]

  [ Francesco Paolo Lovergine ]
  * Policy bumped to 3.9.4, no changes required.
  * Note that in practice bashisms are avoided due to current options selection.
    (closes: #582098)
  * Urgency set to high due to security fixes included.

mapserver (5.6.3-2) unstable; urgency=low

* Added palette support for rgba png.
-- Michael Bienia <email address hidden> Tue, 20 Jul 2010 16:44:16 +0100

Changed in mapserver (Ubuntu Maverick):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

auto-trac.osgeo.org-1 #3484
[fixed] Edit
auto-trac.osgeo.org-1 #3485
[fixed] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntumapserver package

buffer overflow + insecure mapserv CGI command-line debug args

Bug Description

Related branches

Other bug subscribers

Patches

Remote bug watches

Ubuntu
mapserver package