diff -Nru mapserver-6.0.1/debian/changelog mapserver-6.0.1/debian/changelog --- mapserver-6.0.1/debian/changelog 2012-01-21 05:21:25.000000000 +0100 +++ mapserver-6.0.1/debian/changelog 2014-01-12 21:08:31.000000000 +0100 @@ -1,3 +1,10 @@ +mapserver (6.0.1-2ubuntu2) precise; urgency=low + + * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the + msPostGISLayerSetTimeFilter function in mappostgis.c. + + -- Johan Van de Wauw Sun, 12 Jan 2014 21:07:15 +0100 + mapserver (6.0.1-2ubuntu1) precise; urgency=low * fix-jpeg-gd-detection.patch: Rework configure detection of jpeg and gd diff -Nru mapserver-6.0.1/debian/patches/cve-2013-7262.patch mapserver-6.0.1/debian/patches/cve-2013-7262.patch --- mapserver-6.0.1/debian/patches/cve-2013-7262.patch 1970-01-01 01:00:00.000000000 +0100 +++ mapserver-6.0.1/debian/patches/cve-2013-7262.patch 2014-01-12 21:06:24.000000000 +0100 @@ -0,0 +1,20 @@ +Description: Fix potential SQL Injection with postgis TIME filters. +Origin: https://github.com/mapserver/mapserver/commit/3f0ee57b12d482e0ff5611d05afd32408949f7f9 +Author: Even Rouault +Bug: https://github.com/mapserver/mapserver/issues/4834 +Bug-Debian: http://bugs.debian.org/734565 +Last-Update: 2013-01-08 +--- a/mappostgis.c ++++ b/mappostgis.c +@@ -2961,6 +2961,11 @@ int msPostGISLayerSetTimeFilter(layerObj + if (!lp || !timestring || !timefield) + return MS_FALSE; + ++ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) { ++ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()"); ++ return MS_FALSE; ++ } ++ + if (strstr(timestring, ",") == NULL && + strstr(timestring, "/") == NULL) /* discrete time */ + tmpstimestring = msStrdup(timestring); diff -Nru mapserver-6.0.1/debian/patches/series mapserver-6.0.1/debian/patches/series --- mapserver-6.0.1/debian/patches/series 2012-01-21 05:17:10.000000000 +0100 +++ mapserver-6.0.1/debian/patches/series 2014-01-12 21:06:44.000000000 +0100 @@ -1 +1,2 @@ fix-jpeg-gd-detection.patch +cve-2013-7262.patch