[Ubuntu] Fixing CVE-2016-9839 for mapserver
Sebastiaan Couwenberg
sebastic at xs4all.nl
Mon Dec 5 16:18:00 PST 2016
On 12/06/2016 12:31 AM, Sebastiaan Couwenberg wrote:
> On 12/06/2016 12:22 AM, Sebastiaan Couwenberg wrote:
>> Today the MapServer team has released version 7.0.3 which fixes
>> CVE-2016-9839. To quote the release announcement [0]:
>>
>> "
>> That issue involves OGR error messages being too verbose in some
>> instances and potentially disclosing sensitive information if the
>> underlying connection fails. In addition we have backported a somewhat
>> similar fix to the 6.x series for PostGIS layers.
>> "
>>
>> I've already updated the package in unstable, and have cherry-picked the
>> commit fixing the issue for OGR & PostGIS layers for the package in
>> jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached
>> debdiffs.
>>
>> The "sensitive information" are the credentials for the database
>> configured in the mapfile which are reported in the error message. If
>> the database is accessible over the network unauthorized users may gain
>> access using the credentials from the error message. An example is
>> provided in the the upstream issue [1] for the PostGIS layer, and
>> similarly affects the OGR layer [2][3].
>>
>> I don't think the issue is remotely exploitable, unless some way to
>> force the database connection failure to occur is found. As long as the
>> database is only accessible on the localhost, the impact is the issue is
>> limited.
>>
>> [...]
>>
>> [0] https://lists.osgeo.org/pipermail/mapserver-dev/2016-December/014979.html
>> [1] https://github.com/mapserver/mapserver/pull/4928
>> [2] https://github.com/mapserver/mapserver/pull/5356
>> [3] http://gis.stackexchange.com/questions/219426/mapserver-hide-ogr-exception
>
> The above also affects the mapservers packages in the UbuntuGIS PPAs.
>
> I've updated the mapserver package to 7.0.3 for xenial & trusty in
> ubuntugis-unstable already, these still need to be copied to -testing &
> -stable though.
>
> The issue also affects the precise package, but I haven't updated that
> due to lacking a suitable chroot. Including the patch from the jessie
> package should be sufficient to fix the package for precise too:
>
> https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/commit/?h=jessie&id=574f906653bab70ee6403997175935e42f99c58f
>
> Any volunteers to fix this issue in the precise package?
Nevermind, I've updated the package for precise too.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
More information about the Ubuntu
mailing list