Fedora has an update on QA right now for mapserver: https://admin.fedoraproject.org/updates/FEDORA-2014-17567 They are updating to 6.2.2, which fixes CVE-2013-7262: http://www.mapserver.org/development/changelog/changelog-6-2-2.html The issue was also fixed in 6.4.1, which we have in Cauldron. Updated package uploaded for Mageia 4. Maybe Stormi's testing notes from an update a long time ago will help: https://bugs.mageia.org/show_bug.cgi?id=7061#c3 Advisory: ======================== Updated mapserver packages fix security vulnerability: SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter (CVE-2013-7262). The mapserver package has been updated to version 6.2.2, which fixes this issue and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7262 http://www.mapserver.org/development/changelog/changelog-6-2-2.html https://bugzilla.redhat.com/show_bug.cgi?id=1048688 ======================== Updated packages in core/updates_testing: ======================== mapserver-6.2.2-1.mga4 mapserver-php-6.2.2-1.mga4 mapserver-perl-6.2.2-1.mga4 mapserver-python-6.2.2-1.mga4 from mapserver-6.2.2-1.mga4.src.rpm Reproducible: Steps to Reproduce:
This doesn't seem to work with either current or update candidate. When visited at http://localhost/cgi-bin/mapserv? it gives a server error.. Error message: End of script output before headers: mapserv Apache error_log shows.. [cgi:error] [pid 1748] [client 127.0.0.1:36707] AH01215: /var/www/cgi-bin/mapserv: error: `/var/www/cgi-bin/.libs/mapserv' does not exist [cgi:error] [pid 1748] [client 127.0.0.1:36707] AH01215: This script is just a wrapper for mapserv. [cgi:error] [pid 1748] [client 127.0.0.1:36707] AH01215: See the libtool documentation for more information. [cgi:error] [pid 1748] [client 127.0.0.1:36707] End of script output before headers: mapserv The /var/www/cgi-bin/.libs directory is not there. cgi-bin/mapserv is a bash script.
#! /bin/sh # mapserv - temporary wrapper script for .libs/mapserv # Generated by libtool (GNU libtool) 2.4.2 # # The mapserv program cannot be directly executed until all the libtool # libraries that it depends on are installed. # # This wrapper script should never be moved out of the build directory. # If it is, it will not operate correctly. is it possible the wrong file has been used here?
# cd /var/www/cgi-bin/ # ./mapserv ./mapserv: error: `/var/www/cgi-bin/.libs/mapserv' does not exist This script is just a wrapper for mapserv. See the libtool documentation for more information. Docs from here http://mapserver.org/installation/unix.html#unix A simple test is to try and run it: $ ./mapserv This script can only be used to decode form results and should be initiated as a CGI process via a httpd server.
Whiteboard: (none) => feedback
Indeed, quite bogus. All of those things that are in /var/www/cgi-bin are supposed to the binaries in /usr/bin, but looking at the Makefile, it looks like the only one that's actually needed in cgi-bin is mapserv itself. It appears that this was broken in the update to 6.0.1 on 2011-09-16 :D. I just pushed mapserver-6.2.2-1.1.mga4 which should fix this.
Whiteboard: feedback => (none)
Whiteboard: (none) => has_procedure
Now getting.. Symbolic link not allowed or link target not accessible: /var/www/cgi-bin/mapserv It's a dangling link. It's missing some ..'s. # ll /var/www/cgi-bin/ total 2280 lrwxrwxrwx 1 root root 22 Mar 6 13:09 mapserv -> ../..//usr/bin/mapserv # which mapserv /usr/bin/mapserv # cd /var/www/cgi-bin/ # rm mapserv rm: remove symbolic link âmapservâ? y # ln -s ../../../usr/bin/mapserv mapserv # ll total 2280 lrwxrwxrwx 1 root root 24 Mar 6 13:15 mapserv -> ../../../usr/bin/mapserv* Even then though, after restarting httpd, it's still giving 403 forbidden. Symbolic link not allowed or link target not accessible: /var/www/cgi-bin/mapserv # rm mapserv rm: remove symbolic link âmapservâ? y # cp /usr/bin/mapserv . # systemctl restart httpd.service Then it works. Browsing to http://localhost/cgi-bin/mapserv shows.. "No query information to decode. QUERY_STRING is set, but empty. " So links are not followed.
Whiteboard: has_procedure => has_procedure feedback
Thanks Claire. I changed it to copy the executable instead of symlinking it. mapserver-6.2.2-1.2.mga4 Note that you won't be able to upgrade to it from 1.1.mga4 if the symlink is in place, but upgrading from the previous versions will work fine.
Whiteboard: has_procedure feedback => has_procedure
Actually symlinking should ve ok, but you due to apache lockdown, you need something like: <Directory /path/to/dir> Options +FollowSymLinks Require all granted </Directory>
CC: (none) => tmb
That may be not a good idea with cgi-bin though Thomas
It had also slipped my mind that changing it to a symlink from a regular file (in the core/release version) would have caused errors on upgrading, so it's actually fortunate that it didn't work :o)
It didn't appear to cause any error. I'll retest the new one when it lands anyway.
Testing complete mga4 64 Followed https://bugs.mageia.org/show_bug.cgi?id=7061#c3
Whiteboard: has_procedure => has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded from comment 0 with srpm from comment 6 Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0097.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/635990/