Ubuntu
mapserver package

Fix CVE-2016-9839 & CVE-2017-5522

  1. Precise (12.04)
  2. Bug #1648998
Bug #1648998 reported by Johan Van de Wauw
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mapserver (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned
Zesty
Fix Released
Medium
Unassigned

Bug Description

In MapServer before 7.0.3, OGR driver error messages are too verbose and may leak sensitive information if data connection fails.

https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9839.html

Packages for Debian have been updated - we should apply the same in Ubuntu.

CVE References

Revision history for this message
Emily Ratliff (emilyr) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in mapserver (Ubuntu):
status: New → Incomplete
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Bas Couwenberg (sebastic) wrote : Re: WMS exception may expose PostGIS connection details for users

In the mean time MapServer 7.0.4 has been released fixing CVE-2017-5522.

The packages in Debian have been updated to include the fix, as have the packages in the UbuntuGIS PPA.

I've also prepared updates for Ubuntu fixing both CVE-2016-9839 & CVE-2017-5522:

 https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-precise
 https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-trusty
 https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-vivid
 https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-xenial
 https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-yakkety

Bas Couwenberg (sebastic)
Changed in mapserver (Ubuntu):
status: Incomplete → New
summary: - WMS exception may expose PostGIS connection details for users
+ Fix CVE-2016-9839 & CVE-2017-5522
Mathew Hodson (mhodson)
Changed in mapserver (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the trees in comment #2. I've uploaded packages for building with a couple of small changes:

- LP tag in changelog needs a "#" for it to be automatically picked up, as in LP: #1234
- CVE-2016-9839 patch was a bit broken on xenial and yakkety, which I've fixed, it was adding the following to the build log:

/<<PKGBUILDDIR>>/mapogr.cpp: In function ‘int msOGRFileWhichShapes(layerObj*, rectObj, msOGRFileInfo*)’:
/<<PKGBUILDDIR>>/mapogr.cpp:1671:74: warning: too many arguments for format [-Wformat-extra-args]
                  layer->filter.string+6, layer->name?layer->name:"(null)");
                                                                          ^

Once packages are built, I will release them as security updates. Thanks! :)

Marc Deslauriers (mdeslaur)
Changed in mapserver (Ubuntu Zesty):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 7.0.1-3ubuntu0.1

---------------
mapserver (7.0.1-3ubuntu0.1) yakkety-security; urgency=medium

  * Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522.
    (LP: #1648998)

 -- Bas Couwenberg <email address hidden> Wed, 18 Jan 2017 23:41:26 +0100

Changed in mapserver (Ubuntu Yakkety):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 6.4.1-2ubuntu0.1

---------------
mapserver (6.4.1-2ubuntu0.1) trusty-security; urgency=medium

  * Non-maintainer upload.
  * Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522.
    (LP: #1648998)

 -- Bas Couwenberg <email address hidden> Wed, 18 Jan 2017 23:18:47 +0100

Changed in mapserver (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 7.0.0-9ubuntu3.1

---------------
mapserver (7.0.0-9ubuntu3.1) xenial-security; urgency=medium

  * Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522.
    (LP: #1648998)

 -- Bas Couwenberg <email address hidden> Wed, 18 Jan 2017 23:38:33 +0100

Changed in mapserver (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 6.0.1-2ubuntu1.2

---------------
mapserver (6.0.1-2ubuntu1.2) precise-security; urgency=medium

  * Non-maintainer upload.
  * Add upstream patches to fix CVE-2016-9839 & CVE-2017-5522.
    (LP: #1648998)

 -- Bas Couwenberg <email address hidden> Wed, 18 Jan 2017 23:18:10 +0100

Changed in mapserver (Ubuntu Precise):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.