On 2021-05-31 05:38:15 +0200, Sebastiaan Couwenberg wrote:
> On 5/30/21 9:12 PM, Salvatore Bonaccorso wrote:
> > Sebastiaan, Sebastian,
> >
> > On Tue, May 25, 2021 at 09:57:28AM +0200, Sebastiaan Couwenberg wrote:
> >> Control: tags -1 - moreinfo
> >>
> >> On 5/25/21 9:45 AM, Sebastian Ramacher wrote:
> >>> On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote:
> >>>> On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
> >>>>> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
> >>>>>> Package: release.debian.org
> >>>>>> Severity: normal
> >>>>>> User: release.debian....@packages.debian.org
> >>>>>> Usertags: unblock
> >>>>>>
> >>>>>> Please unblock package mapserver to fix CVE-2021-32062 as reported in
> >>>>>> #988208.
> >>>>>>
> >>>>>> [ Reason ]
> >>>>>> Fix security issue.
> >>>>>>
> >>>>>> [ Impact ]
> >>>>>> Unfixed security issue.
> >>>>>>
> >>>>>> [ Tests ]
> >>>>>> Upstream CI.
> >>>>>>
> >>>>>> [ Risks ]
> >>>>>> Low, leaf package.
> >>>>>>
> >>>>>> [ Checklist ]
> >>>>>> [x] all changes are documented in the d/changelog
> >>>>>> [x] I reviewed all changes and I approve them
> >>>>>> [x] attach debdiff against the package in testing
> >>>>>>
> >>>>>> [ Other info ]
> >>>>>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is
> >>>>>> required as a dependency of
> >>>>>> 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
> >>>>>>
> >>>>>> unblock mapserver/7.6.2-2
> >>>>>
> >>>>>> diff -Nru mapserver-7.6.2/debian/changelog
> >>>>>> mapserver-7.6.2/debian/changelog
> >>>>>> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000
> >>>>>> +0100
> >>>>>> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000
> >>>>>> +0200
> >>>>>> @@ -1,3 +1,12 @@
> >>>>>> +mapserver (7.6.2-2) unstable; urgency=high
> >>>>>> +
> >>>>>> + * Drop unused lintian overrides.
> >>>>>> + * Add upstream patches to fix CVE-2021-32062.
> >>>>>> + (closes: #988208)
> >>>>>> + * Update symbols file.
> >>>>>> +
> >>>>>> + -- Bas Couwenberg <sebas...@debian.org> Sat, 08 May 2021 07:12:18
> >>>>>> +0200
> >>>>>> +
> >>>>>> mapserver (7.6.2-1) unstable; urgency=medium
> >>>>>>
> >>>>>> * Update symbols for other architectures.
> >>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides
> >>>>>> mapserver-7.6.2/debian/libmapserver2.lintian-overrides
> >>>>>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides
> >>>>>> 2020-08-06 05:34:57.000000000 +0200
> >>>>>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides
> >>>>>> 1970-01-01 01:00:00.000000000 +0100
> >>>>>> @@ -1,3 +0,0 @@
> >>>>>> -# Cannot easily be fixed
> >>>>>> -file-references-package-build-path *
> >>>>>> -
> >>>>>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols
> >>>>>> mapserver-7.6.2/debian/libmapserver2.symbols
> >>>>>> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09
> >>>>>> 06:00:39.000000000 +0100
> >>>>>> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08
> >>>>>> 07:11:08.000000000 +0200
> >>>>>> @@ -945,6 +945,7 @@
> >>>>>> msCSVJoinPrepare@Base 6.2.1
> >>>>>> msCairoCleanup@Base 6.2.1
> >>>>>> msCalculateScale@Base 6.2.1
> >>>>>> + msCaseEvalRegex@Base 7.6.2
> >>>>>> msCaseReplaceSubstring@Base 6.2.1
> >>>>>> msCheckLabelMinDistance@Base 7.0.0
> >>>>>> msCheckParentPointer@Base 6.2.1
> >>>>>> @@ -1418,6 +1419,7 @@
> >>>>>> msIsGlyphASpace@Base 7.2.0
> >>>>>> msIsLayerQueryable@Base 6.2.1
> >>>>>> msIsOuterRing@Base 6.2.1
> >>>>>> + msIsValidRegex@Base 7.6.2
> >>>>>
> >>>>> This version is not high enough. The symbols need to be marked as
> >>>>> requiring 7.6.2-2~
> >>>>
> >>>> There are no rdeps of mapserver in Debian, so no users of the symbols
> >>>> file.
> >>>
> >>> It's technically wrong. If you introduce symbols with a patch, the
> >>> symbols need to be properly versioned. After all, there is a user of the
> >>> symbols file and that is mapserver itself. If you have to introduce
> >>> calls to those two symbols outside of libmapserver in the next patch,
> >>> the dependency on libmapserver is wrong.
> >>
> >> libmapserver-dev already depends on libmapserver2 with (=
> >> ${binary:Version}).
> >>
> >> None of the other binary packages require symbols introduced after 7.0.5.
> >>
> >> All the code using msCaseEvalRegex & msIsValidRegex is within
> >> libmapserver itself.
> >>
> >> While strictly speaking the version in the symbols file should include
> >> the revision, its not required in this case because nothing outside
> >> libmapserver uses it.
> >>
> >>>>> Please remove the moreinfo tag once that fixed version is available in
> >>>>> unstable.
> >>>>
> >>>> mapserver (7.6.2-2) has been uploaded to unstable without further
> >>>> changes to the symbols file.
> >>>
> >>> Again, please remove the moreinfo tag only once a fixed version is
> >>> available in unstable.
> >>
> >> There is no need for further changes in unstable.
> >
> > Sebastian (the release team member), is there anything from the above
> > which you still want the maintainer to be adressed? Sebastiaan, my
> > unerstanding is that Sebastian wuld like to see the above changes done
> > for mapserver to be unblocked.
>
> That's my understanding too, but the additional information provided
> should make clear that those changes are not required.I think I said it twice (from #988224#24): > > > Please remove the moreinfo tag once that fixed version is available in > > > unstable. > > > > mapserver (7.6.2-2) has been uploaded to unstable without further > > changes to the symbols file. > > Again, please remove the moreinfo tag only once a fixed version is > available in unstable. I want these symbols fixed. Cheers -- Sebastian Ramacher
signature.asc
Description: PGP signature
