Bug 15363

Summary: mapserver new security issue CVE-2013-7262
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/635990/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: mapserver-6.2.1-10.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-25 20:06:23 CET 
Fedora has an update on QA right now for mapserver:
https://admin.fedoraproject.org/updates/FEDORA-2014-17567

They are updating to 6.2.2, which fixes CVE-2013-7262:
http://www.mapserver.org/development/changelog/changelog-6-2-2.html

The issue was also fixed in 6.4.1, which we have in Cauldron.

Updated package uploaded for Mageia 4.

Maybe Stormi's testing notes from an update a long time ago will help:
https://bugs.mageia.org/show_bug.cgi?id=7061#c3

Advisory:
========================

Updated mapserver packages fix security vulnerability:

SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in
mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used,
allows remote attackers to execute arbitrary SQL commands via a crafted
string in a PostGIS TIME filter (CVE-2013-7262).

The mapserver package has been updated to version 6.2.2, which fixes this
issue and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7262
http://www.mapserver.org/development/changelog/changelog-6-2-2.html
https://bugzilla.redhat.com/show_bug.cgi?id=1048688
========================

Updated packages in core/updates_testing:
========================
mapserver-6.2.2-1.mga4
mapserver-php-6.2.2-1.mga4
mapserver-perl-6.2.2-1.mga4
mapserver-python-6.2.2-1.mga4

from mapserver-6.2.2-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2015-03-05 15:11:59 CET 
This doesn't seem to work with either current or update candidate.

When visited at http://localhost/cgi-bin/mapserv? it gives a server error..

Error message:
End of script output before headers: mapserv

Apache error_log shows..

[cgi:error] [pid 1748] [client 127.0.0.1:36707] AH01215: /var/www/cgi-bin/mapserv: error: `/var/www/cgi-bin/.libs/mapserv' does not exist
[cgi:error] [pid 1748] [client 127.0.0.1:36707] AH01215: This script is just a wrapper for mapserv.
[cgi:error] [pid 1748] [client 127.0.0.1:36707] AH01215: See the libtool documentation for more information.
[cgi:error] [pid 1748] [client 127.0.0.1:36707] End of script output before headers: mapserv


The /var/www/cgi-bin/.libs directory is not there. cgi-bin/mapserv is a bash script.
Comment 2 claire robinson 2015-03-05 15:15:28 CET 
#! /bin/sh

# mapserv - temporary wrapper script for .libs/mapserv
# Generated by libtool (GNU libtool) 2.4.2
#
# The mapserv program cannot be directly executed until all the libtool
# libraries that it depends on are installed.
#
# This wrapper script should never be moved out of the build directory.
# If it is, it will not operate correctly.


is it possible the wrong file has been used here?
Comment 3 claire robinson 2015-03-05 15:20:10 CET 
# cd /var/www/cgi-bin/

# ./mapserv 
./mapserv: error: `/var/www/cgi-bin/.libs/mapserv' does not exist
This script is just a wrapper for mapserv.
See the libtool documentation for more information.


Docs from here http://mapserver.org/installation/unix.html#unix

A simple test is to try and run it:

$ ./mapserv
This script can only be used to decode form results and
should be initiated as a CGI process via a httpd server.
claire robinson 2015-03-05 15:20:24 CET

Whiteboard: (none) => feedback

Comment 4 David Walser 2015-03-05 18:13:15 CET 
Indeed, quite bogus.  All of those things that are in /var/www/cgi-bin are supposed to the binaries in /usr/bin, but looking at the Makefile, it looks like the only one that's actually needed in cgi-bin is mapserv itself.  It appears that this was broken in the update to 6.0.1 on 2011-09-16 :D.

I just pushed mapserver-6.2.2-1.1.mga4 which should fix this.

Whiteboard: feedback => (none)

claire robinson 2015-03-05 22:28:20 CET

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2015-03-06 14:24:02 CET 
Now getting..

Symbolic link not allowed or link target not accessible: /var/www/cgi-bin/mapserv

It's a dangling link. It's missing some ..'s.

# ll /var/www/cgi-bin/
total 2280
lrwxrwxrwx 1 root root      22 Mar  6 13:09 mapserv -> ../..//usr/bin/mapserv

# which mapserv
/usr/bin/mapserv

# cd /var/www/cgi-bin/
# rm mapserv
rm: remove symbolic link âmapservâ? y
# ln -s ../../../usr/bin/mapserv mapserv
# ll
total 2280
lrwxrwxrwx 1 root root      24 Mar  6 13:15 mapserv -> ../../../usr/bin/mapserv*

Even then though, after restarting httpd, it's still giving 403 forbidden.
Symbolic link not allowed or link target not accessible: /var/www/cgi-bin/mapserv

# rm mapserv 
rm: remove symbolic link âmapservâ? y
# cp /usr/bin/mapserv .
# systemctl restart httpd.service

Then it works. Browsing to http://localhost/cgi-bin/mapserv shows..
"No query information to decode. QUERY_STRING is set, but empty. "

So links are not followed.

Whiteboard: has_procedure => has_procedure feedback

Comment 6 David Walser 2015-03-06 14:29:26 CET 
Thanks Claire.  I changed it to copy the executable instead of symlinking it.

mapserver-6.2.2-1.2.mga4

Note that you won't be able to upgrade to it from 1.1.mga4 if the symlink is in place, but upgrading from the previous versions will work fine.

Whiteboard: has_procedure feedback => has_procedure

Comment 7 Thomas Backlund 2015-03-06 14:32:47 CET 
Actually symlinking should ve ok, but you due to apache lockdown, you need something like:

<Directory /path/to/dir>
    Options +FollowSymLinks
    Require all granted
</Directory>

CC: (none) => tmb

Comment 8 claire robinson 2015-03-06 14:35:24 CET 
That may be not a good idea with cgi-bin though Thomas
Comment 9 David Walser 2015-03-06 14:38:14 CET 
It had also slipped my mind that changing it to a symlink from a regular file (in the core/release version) would have caused errors on upgrading, so it's actually fortunate that it didn't work :o)
Comment 10 claire robinson 2015-03-06 14:40:36 CET 
It didn't appear to cause any error. I'll retest the new one when it lands anyway.
Comment 11 claire robinson 2015-03-06 15:07:31 CET 
Testing complete mga4 64

Followed https://bugs.mageia.org/show_bug.cgi?id=7061#c3

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 12 claire robinson 2015-03-06 15:19:29 CET 
Testing complete mga4 32

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 13 claire robinson 2015-03-06 17:46:05 CET 
Validating. Advisory uploaded from comment 0 with srpm from comment 6

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2015-03-06 19:09:39 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0097.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-03-09 22:19:59 CET

URL: (none) => http://lwn.net/Vulnerabilities/635990/