[DebianGIS-dev] Processing of libterralib_3.3.1-2_i386.changes
/libterralib_3.3.1-2_i386.changes couldn't be processed for 48 hours and is now deleted All files it mentions are also removed: libterralib_3.3.1-2.dsc, libterralib_3.3.1-2.diff.gz, libterralib1-doc_3.3.1-2_all.deb, libterralib1-dev_3.3.1-2_i386.deb, libterralib1c2a_3.3.1-2_i386.deb Greetings, Your Debian queue daemon ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: incorrect upstream fix for CVE-2009-0840 (mapserver)
Hi
I've reported that to the devs. They should fix that as soon as possible.
ALan
On June 22, 2009 09:24:35 am Nico Golde wrote:
Hi,
from the CVE description:
| Heap-based buffer underflow in the readPostBody function in cgiutil.c in
| mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote
| attackers to have an unknown impact via a negative value in the
| Content-Length HTTP header.
The affected code is in cgiutil.c:
41 static char *readPostBody( cgiRequestObj *request )
42 {
43 char *data;
44 int data_max, data_len, chunk_size;
45
46 msIO_needBinaryStdin();
47
48 /*
*/ 49
/* If the length is provided, read in one gulp.*/
50 /*
*/ 51
if( getenv(CONTENT_LENGTH) != NULL ) {
52 data_max = atoi(getenv(CONTENT_LENGTH));
53 data = (char *) malloc(data_max+1);
54 if( data == NULL ) {
55 msIO_printf(Content-type: text/html%c%c,10,10);
56 msIO_printf(malloc() failed, Content-Length: %d unreasonably
large?\n, data_max ); 57 exit( 1 );
58 }
59
60 if( (int) msIO_fread(data, 1, data_max, stdin) data_max ) {
There is obviously a problem in case the content-length is negative.
The following is the upstream patch which was used to fix this issue:
static char *readPostBody( cgiRequestObj *request )
{
char *data;
- int data_max, data_len, chunk_size;
+ unsigned int data_max, data_len;
+ int chunk_size;
Unfortunately this doesn't fix the issue and I wonder why people always
think changing signed types to unsigned will fix such errors.
If I pass 0x as the content-length according to type conversion
rules in C atoi() will convert this to -1 which is again converted to
0x when assigning it to an unsigned int. data_max+1 in line 53 will
then overflow and malloc is called with a parameter of 0. This causes
malloc to allocated the smallest possible chunk but it will _not_ return
NULL (well, implementation defined). So it is still possible to perform a
heap-based buffer overflow after the upstream fix.
I'm not sure if this should get a new CVE id but the versions in the CVE id
description should be adjusted and the upstream patch revised.
Cheers
Nico
P.S. @Alan, this is also the reason I have to reject your packages in our
security queue again.
--
Alan Boudreault
Mapgears
http://www.mapgears.com
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#534600: spatialindex: FTBFS with GCC 4.4
Package: spatialindex Version: 1.3.2-1 Severity: serious Tags: patch Justification: no longer builds from source User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch *** /tmp/tmpiNhydQ spatialindex FTBFS with GCC 4.4, in Ubuntu we've applied the attached patch to solve this. -- System Information: Debian Release: 5.0 APT prefers jaunty-updates APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'), (500, 'jaunty-backports'), (500, 'jaunty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u spatialindex-1.3.2/debian/patches/00list spatialindex-1.3.2/debian/patches/00list --- spatialindex-1.3.2/debian/patches/00list +++ spatialindex-1.3.2/debian/patches/00list @@ -1,0 +2 @@ +gcc44 only in patch2: unchanged: --- spatialindex-1.3.2.orig/debian/patches/gcc44.dpatch +++ spatialindex-1.3.2/debian/patches/gcc44.dpatch @@ -0,0 +1,29 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## gcc44.dpatch by Alessio Treglia quadris...@ubuntu.com +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add missing #include to prevent FTBFS with GCC 4.4. + +...@dpatch@ +diff -urNad spatialindex-1.3.2~/regressiontest/mvrtree/Exhaustive.cc spatialindex-1.3.2/regressiontest/mvrtree/Exhaustive.cc +--- spatialindex-1.3.2~/regressiontest/mvrtree/Exhaustive.cc 2009-06-25 18:54:50.241100353 +0200 spatialindex-1.3.2/regressiontest/mvrtree/Exhaustive.cc 2009-06-25 18:55:31.961101773 +0200 +@@ -27,6 +27,7 @@ + #include cmath + #include cstring + #include limits ++#include stdint.h + + using namespace std; + +diff -urNad spatialindex-1.3.2~/regressiontest/rtree/Exhaustive.cc spatialindex-1.3.2/regressiontest/rtree/Exhaustive.cc +--- spatialindex-1.3.2~/regressiontest/rtree/Exhaustive.cc 2009-06-25 18:54:50.241100353 +0200 spatialindex-1.3.2/regressiontest/rtree/Exhaustive.cc 2009-06-25 18:55:23.985100661 +0200 +@@ -26,6 +26,7 @@ + #include queue + #include cmath + #include cstring ++#include stdint.h + + using namespace std; + ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2328 - packages/mkgmap/trunk/debian
Author: nd-guest
Date: 2009-06-25 17:35:31 + (Thu, 25 Jun 2009)
New Revision: 2328
Modified:
packages/mkgmap/trunk/debian/changelog
packages/mkgmap/trunk/debian/compat
packages/mkgmap/trunk/debian/control
packages/mkgmap/trunk/debian/copyright
packages/mkgmap/trunk/debian/watch
Log:
upgrading mkgmap
Modified: packages/mkgmap/trunk/debian/changelog
===
--- packages/mkgmap/trunk/debian/changelog 2009-06-24 20:43:28 UTC (rev
2327)
+++ packages/mkgmap/trunk/debian/changelog 2009-06-25 17:35:31 UTC (rev
2328)
@@ -1,3 +1,13 @@
+mkgmap (0.0.0+svn1067-1) unstable; urgency=low
+
+ * New upstream snapshot.
+ * Added ${misc:Depends} among dependencies to fix a lintian warning.
+ * Bumped debhelper compatibility level to 7.
+ * Updated long description.
+ * Updated Homepage in debian/control, debian/copyright, debian/watch.
+
+ -- Andreas Putzo andr...@putzo.net Thu, 25 Jun 2009 17:31:38 +
+
mkgmap (0.0.0+svn630-1) unstable; urgency=low
* Initial release (Closes: #475773)
Modified: packages/mkgmap/trunk/debian/compat
===
--- packages/mkgmap/trunk/debian/compat 2009-06-24 20:43:28 UTC (rev 2327)
+++ packages/mkgmap/trunk/debian/compat 2009-06-25 17:35:31 UTC (rev 2328)
@@ -1 +1 @@
-5
+7
Modified: packages/mkgmap/trunk/debian/control
===
--- packages/mkgmap/trunk/debian/control2009-06-24 20:43:28 UTC (rev
2327)
+++ packages/mkgmap/trunk/debian/control2009-06-25 17:35:31 UTC (rev
2328)
@@ -3,16 +3,16 @@
Priority: extra
Maintainer: Debian GIS Project pkg-grass-devel@lists.alioth.debian.org
Uploaders: Andreas Putzo andr...@putzo.net
-Build-Depends: ant, cdbs, debhelper (= 5), java-gcj-compat-dev
+Build-Depends: ant, cdbs, debhelper (= 7), java-gcj-compat-dev
Standards-Version: 3.8.0
-Homepage: http://www.parabola.me.uk/mkgmap
+Homepage: http://www.mkgmap.org.uk
Vcs-Browser: http://svn.debian.org/viewsvn/pkg-grass/packages/mkgmap/trunk
Vcs-Svn: svn://svn.debian.org/svn/pkg-grass/packages/mkgmap/trunk
Package: mkgmap
Architecture: all
-Depends: openjdk-6-jre-headless | java5-runtime-headless
+Depends: ${misc:Depends} openjdk-6-jre-headless | java5-runtime-headless
Suggests: josm, qlandkarte
Description: Generate Garmin maps from OpenStreetMap data
This program converts OpenStreetMap data into a map that
- can be loaded onto a Garmin GPS device.
+ can be loaded onto compatible Garmin GPS units.
Modified: packages/mkgmap/trunk/debian/copyright
===
--- packages/mkgmap/trunk/debian/copyright 2009-06-24 20:43:28 UTC (rev
2327)
+++ packages/mkgmap/trunk/debian/copyright 2009-06-25 17:35:31 UTC (rev
2328)
@@ -1,7 +1,7 @@
This package was debianized by Andreas Putzo andr...@putzo.net on
Sun, 13 Apr 2008 19:29:58 +.
-It was downloaded from http://www.parabola.me.uk/mkgmap/snapshots/
+It was downloaded from http://www.mkgmap.org.uk/snapshots/
Upstream Author:
Modified: packages/mkgmap/trunk/debian/watch
===
--- packages/mkgmap/trunk/debian/watch 2009-06-24 20:43:28 UTC (rev 2327)
+++ packages/mkgmap/trunk/debian/watch 2009-06-25 17:35:31 UTC (rev 2328)
@@ -1,3 +1,3 @@
version=3
opts=dversionmangle=s/0.0.0.svn//,uversionmangle=s/^r// \
-http://www.parabola.me.uk/mkgmap/snapshots/mkgmap-(.*)-src\.tar\.gz
+http://www.mkgmap.org.uk/snapshots/mkgmap-(.*)-src\.tar\.gz
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2329 - packages/mkgmap/trunk/debian
Author: nd-guest
Date: 2009-06-25 18:16:40 + (Thu, 25 Jun 2009)
New Revision: 2329
Modified:
packages/mkgmap/trunk/debian/changelog
packages/mkgmap/trunk/debian/control
packages/mkgmap/trunk/debian/copyright
packages/mkgmap/trunk/debian/docs
Log:
finish package.
Modified: packages/mkgmap/trunk/debian/changelog
===
--- packages/mkgmap/trunk/debian/changelog 2009-06-25 17:35:31 UTC (rev
2328)
+++ packages/mkgmap/trunk/debian/changelog 2009-06-25 18:16:40 UTC (rev
2329)
@@ -1,12 +1,17 @@
mkgmap (0.0.0+svn1067-1) unstable; urgency=low
* New upstream snapshot.
- * Added ${misc:Depends} among dependencies to fix a lintian warning.
- * Bumped debhelper compatibility level to 7.
- * Updated long description.
+ * Added ${misc:Depends} among dependencies to fix a lintian warning.
+ * Bumped debhelper compatibility level to 7.
+ * Updated long description.
* Updated Homepage in debian/control, debian/copyright, debian/watch.
+ * Added numerous files from /doc to debian/docs.
+ * Mentioned Bernhard Heibler in debian/copyright and updated copyright
+year of software and packaging.
+ * Bumped policy to 3.8.2, without changes.
+ * Added DM-Upload-Allowed to debian/control.
- -- Andreas Putzo andr...@putzo.net Thu, 25 Jun 2009 17:31:38 +
+ -- Andreas Putzo andr...@putzo.net Thu, 25 Jun 2009 18:04:29 +
mkgmap (0.0.0+svn630-1) unstable; urgency=low
Modified: packages/mkgmap/trunk/debian/control
===
--- packages/mkgmap/trunk/debian/control2009-06-25 17:35:31 UTC (rev
2328)
+++ packages/mkgmap/trunk/debian/control2009-06-25 18:16:40 UTC (rev
2329)
@@ -3,15 +3,16 @@
Priority: extra
Maintainer: Debian GIS Project pkg-grass-devel@lists.alioth.debian.org
Uploaders: Andreas Putzo andr...@putzo.net
+DM-Upload-Allowed: yes
Build-Depends: ant, cdbs, debhelper (= 7), java-gcj-compat-dev
-Standards-Version: 3.8.0
+Standards-Version: 3.8.2
Homepage: http://www.mkgmap.org.uk
Vcs-Browser: http://svn.debian.org/viewsvn/pkg-grass/packages/mkgmap/trunk
Vcs-Svn: svn://svn.debian.org/svn/pkg-grass/packages/mkgmap/trunk
Package: mkgmap
Architecture: all
-Depends: ${misc:Depends} openjdk-6-jre-headless | java5-runtime-headless
+Depends: ${misc:Depends}, openjdk-6-jre-headless | java5-runtime-headless
Suggests: josm, qlandkarte
Description: Generate Garmin maps from OpenStreetMap data
This program converts OpenStreetMap data into a map that
Modified: packages/mkgmap/trunk/debian/copyright
===
--- packages/mkgmap/trunk/debian/copyright 2009-06-25 17:35:31 UTC (rev
2328)
+++ packages/mkgmap/trunk/debian/copyright 2009-06-25 18:16:40 UTC (rev
2329)
@@ -9,7 +9,7 @@
Copyright:
-Copyright (C) 2007, 2008 Steve Ratcliffe s...@parabola.me.uk
+Copyright (C) 2007-2009 Steve Ratcliffe s...@parabola.me.uk
License:
@@ -21,7 +21,7 @@
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
@@ -29,5 +29,15 @@
On Debian systems, the complete text of the GNU General
Public License can be found in `/usr/share/common-licenses/GPL-2'.
-The Debian packaging is (C) 2008, Andreas Putzo andr...@putzo.net and
+
+The files:
+ src/uk/me/parabola/mkgmap/general/MapPointMultimap.java,
+ src/uk/me/parabola/mkgmap/general/MapPointFastFindMap.java,
+ src/uk/me/parabola/mkgmap/build/LocatorConfig.java,
+ src/uk/me/parabola/mkgmap/build/Locator.java,
+are Copyright (C) 2009 Bernhard Heibler and
+are licensed under the GPL version 2, see above.
+
+
+The Debian packaging is (C) 2008,2009, Andreas Putzo andr...@putzo.net and
is licensed under the GPL version 2, see above.
Modified: packages/mkgmap/trunk/debian/docs
===
--- packages/mkgmap/trunk/debian/docs 2009-06-25 17:35:31 UTC (rev 2328)
+++ packages/mkgmap/trunk/debian/docs 2009-06-25 18:16:40 UTC (rev 2329)
@@ -1,3 +1,8 @@
README
doc/Credits
+doc/Zoom
+doc/map-features.txt
+doc/style-rules.txt
+doc/style-examples.txt
+doc/style.txt
resources/garmin_feature_list.csv
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2330 - packages/mkgmap/tags
Author: nd-guest Date: 2009-06-25 18:18:49 + (Thu, 25 Jun 2009) New Revision: 2330 Added: packages/mkgmap/tags/0.0.0+svn569-1/ Log: [svn-buildpackage] Tagging mkgmap (0.0.0+svn569-1) ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2331 - in packages/mkgmap: . tarballs
Author: nd-guest Date: 2009-06-25 18:20:30 + (Thu, 25 Jun 2009) New Revision: 2331 Added: packages/mkgmap/tarballs/ packages/mkgmap/tarballs/mkgmap_0.0.0+svn1067.orig.tar.gz packages/mkgmap/tarballs/mkgmap_0.0.0+svn630.orig.tar.gz Log: add orig tarballs Added: packages/mkgmap/tarballs/mkgmap_0.0.0+svn1067.orig.tar.gz === --- packages/mkgmap/tarballs/mkgmap_0.0.0+svn1067.orig.tar.gz (rev 0) +++ packages/mkgmap/tarballs/mkgmap_0.0.0+svn1067.orig.tar.gz 2009-06-25 18:20:30 UTC (rev 2331) @@ -0,0 +1 @@ +link mkgmap-r1067-src.tar.gz \ No newline at end of file Property changes on: packages/mkgmap/tarballs/mkgmap_0.0.0+svn1067.orig.tar.gz ___ Added: svn:special + * Added: packages/mkgmap/tarballs/mkgmap_0.0.0+svn630.orig.tar.gz === --- packages/mkgmap/tarballs/mkgmap_0.0.0+svn630.orig.tar.gz (rev 0) +++ packages/mkgmap/tarballs/mkgmap_0.0.0+svn630.orig.tar.gz2009-06-25 18:20:30 UTC (rev 2331) @@ -0,0 +1 @@ +link mkgmap-r630-src.tar.gz \ No newline at end of file Property changes on: packages/mkgmap/tarballs/mkgmap_0.0.0+svn630.orig.tar.gz ___ Added: svn:special + * ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] RFS: gosmore
Hi, i'm looking for a sponsor for gosmore. The updated package makes it compatible with current OSM data again, fixing a rc bug. Except for the missing manpage, the package appears to be lintian clean. gosmore (0.0.0.20090624-1) unstable; urgency=low * New upstream snapshot fetched from svn, revision 16088. (Closes: #533372) * debian/rules get-orig-source: - Remove debian/ dir. - Ignore externals in svn export command. * Removed 10-findresources.dpatch, applied upstream. * Mentioned ConvertUTF.c, elemstyles.xml and icons.* in debian/copyright. * Added a note to the long description that gosmore needs additional data files. (Closes: #491842) * Dropped dependency on libgps-dev, gosmore tries to parse NMEA sentences on its own. (Closes: #524042) * Removed dpatch build-dependency and debian/patches since there are no patches currently. * Bumped policy to 3.8.2, without changes. * Added DM-Upload-Allowed to debian/control. * Removed build-dependency on flite-dev, feature has been removed. * Bumped debhelper compatibility level to 7. -- Andreas Putzo andr...@putzo.net Wed, 24 Jun 2009 20:32:38 + I uploaded to mentors but the packages should also build fine from svn :) dget -x http://mentors.debian.net/debian/pool/main/g/gosmore/gosmore_0.0.0.20090624-1.dsc Regards, Andreas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
