[Ubuntu] Fixing CVE-2016-9839 for mapserver
Sebastiaan Couwenberg
sebastic at xs4all.nl
Mon Dec 5 15:31:38 PST 2016
On 12/06/2016 12:22 AM, Sebastiaan Couwenberg wrote:
> Today the MapServer team has released version 7.0.3 which fixes
> CVE-2016-9839. To quote the release announcement [0]:
>
> "
> That issue involves OGR error messages being too verbose in some
> instances and potentially disclosing sensitive information if the
> underlying connection fails. In addition we have backported a somewhat
> similar fix to the 6.x series for PostGIS layers.
> "
>
> I've already updated the package in unstable, and have cherry-picked the
> commit fixing the issue for OGR & PostGIS layers for the package in
> jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached
> debdiffs.
>
> The "sensitive information" are the credentials for the database
> configured in the mapfile which are reported in the error message. If
> the database is accessible over the network unauthorized users may gain
> access using the credentials from the error message. An example is
> provided in the the upstream issue [1] for the PostGIS layer, and
> similarly affects the OGR layer [2][3].
>
> I don't think the issue is remotely exploitable, unless some way to
> force the database connection failure to occur is found. As long as the
> database is only accessible on the localhost, the impact is the issue is
> limited.
>
> [...]
>
> [0] https://lists.osgeo.org/pipermail/mapserver-dev/2016-December/014979.html
> [1] https://github.com/mapserver/mapserver/pull/4928
> [2] https://github.com/mapserver/mapserver/pull/5356
> [3] http://gis.stackexchange.com/questions/219426/mapserver-hide-ogr-exception
The above also affects the mapservers packages in the UbuntuGIS PPAs.
I've updated the mapserver package to 7.0.3 for xenial & trusty in
ubuntugis-unstable already, these still need to be copied to -testing &
-stable though.
The issue also affects the precise package, but I haven't updated that
due to lacking a suitable chroot. Including the patch from the jessie
package should be sufficient to fix the package for precise too:
https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/commit/?h=jessie&id=574f906653bab70ee6403997175935e42f99c58f
Any volunteers to fix this issue in the precise package?
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
More information about the Ubuntu
mailing list