The following commit has been merged in the wheezy branch: commit 61b13642dc297ebf8e3fc0119b13c109972c93ac Author: Bas Couwenberg <sebas...@xs4all.nl> Date: Wed Jan 8 22:28:39 2014 +0100
Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c. (closes: #734565) diff --git a/debian/changelog b/debian/changelog index a674b80..8683fe2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +mapserver (6.0.1-3.2+deb7u2) wheezy-security; urgency=high + + * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the + msPostGISLayerSetTimeFilter function in mappostgis.c. + (closes: #734565) + + -- Bas Couwenberg <sebas...@xs4all.nl> Wed, 08 Jan 2014 21:52:08 +0100 + mapserver (6.0.1-3.2+deb7u1) stable-proposed-updates; urgency=low [ Francesco Paolo Lovergine ] diff --git a/debian/patches/cve-2013-7262 b/debian/patches/cve-2013-7262 new file mode 100644 index 0000000..ec15bb7 --- /dev/null +++ b/debian/patches/cve-2013-7262 @@ -0,0 +1,20 @@ +Description: Fix potential SQL Injection with postgis TIME filters. +Origin: https://github.com/mapserver/mapserver/commit/3f0ee57b12d482e0ff5611d05afd32408949f7f9 +Author: Even Rouault <even.roua...@mines-paris.org> +Bug: https://github.com/mapserver/mapserver/issues/4834 +Bug-Debian: http://bugs.debian.org/734565 +Last-Update: 2013-01-08 +--- a/mappostgis.c ++++ b/mappostgis.c +@@ -2961,6 +2961,11 @@ int msPostGISLayerSetTimeFilter(layerObj + if (!lp || !timestring || !timefield) + return MS_FALSE; + ++ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) { ++ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()"); ++ return MS_FALSE; ++ } ++ + if (strstr(timestring, ",") == NULL && + strstr(timestring, "/") == NULL) /* discrete time */ + tmpstimestring = msStrdup(timestring); diff --git a/debian/patches/series b/debian/patches/series index 38b6725..17ec2a1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ fixgeos php54 multiarch-libgd contenttype +cve-2013-7262 -- Packaging for MapServer _______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel