Ubuntu
postgis package

Database crash with invalid geoJSON input

Bug #1438875 reported by Johan Van de Wauw on 2015-03-31

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	postgis (Debian)	Fix Released	Unknown	debbugs #781579
	postgis (Ubuntu)	Fix Released	Medium	Unassigned
	Trusty	Fix Released	Undecided	Unassigned
	Utopic	Fix Released	Undecided	Unassigned
	Vivid	Fix Released	Medium	Unassigned

Bug Description

As reported upstream:
http://trac.osgeo.org/postgis/ticket/3094

Malformed geoJSON data can kill the database process. This functionality exists in trusty, utopic and vivid.

A fix has been prepared in debian unstable - an unblock request for jessie was requested:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781579

Tags:

Related branches

lp:ubuntu/vivid-proposed/postgis

lp:ubuntu/vivid/postgis

lp:ubuntu/trusty-security/postgis

lp:ubuntu/utopic-security/postgis

Bug Watch Updater (bug-watch-updater) on 2015-03-31

Changed in postgis (Debian):
status:	Unknown → Confirmed

Steve Beattie (sbeattie) on 2015-04-01

Changed in postgis (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium
information type:	Private Security → Public Security

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-04-01:

#1

Since the debian bug and the upstream bug report are public, there's no point in keeping this bug report private, so I've made it public as well. Has a CVE been assigned for this issue?

Revision history for this message

Johan Van de Wauw (johanvdw) wrote on 2015-04-01:

#2

I don't think there is a CVE number. I asked in the upstream bugtracker to be sure.

Revision history for this message

Johan Van de Wauw (johanvdw) wrote on 2015-04-01:

#3

vivid debdiff Edit (3.6 KiB, text/plain)

Revision history for this message

Johan Van de Wauw (johanvdw) wrote on 2015-04-01:

#4

Utopic debdiff Edit (3.5 KiB, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-04-01:

#5

The attachment "vivid debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags:

added: patch

Revision history for this message

Johan Van de Wauw (johanvdw) wrote on 2015-04-01:

#6

trusty debdiff Edit (3.7 KiB, text/plain)

Bug Watch Updater (bug-watch-updater) on 2015-04-02

Changed in postgis (Debian):
status:	Confirmed → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-04-02:

#7

ACK on the debdiffs. I've uploaded them for building with a slight modification to the changelog to make it more consistent with our other security updates.

Security updates will be released once they've built.

Thanks!

Changed in postgis (Ubuntu Trusty):
status:	New → Fix Committed
Changed in postgis (Ubuntu Utopic):
status:	New → Fix Committed
Changed in postgis (Ubuntu Vivid):
status:	Confirmed → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-04-02:

#8

This bug was fixed in the package postgis - 2.1.5+dfsg-1~exp2ubuntu1

---------------
postgis (2.1.5+dfsg-1~exp2ubuntu1) vivid; urgency=high

  * SECURITY UPDATE: crash of the database backend process when given
    invalid GeoJSON data (LP: #1438875)
    - debian/patches/geojson-fix-3094.patch: back-ported from the 2.1.7
      release, taken from debian patch by Markus Wanner.
    - No CVE number
-- Johan Van de Wauw <email address hidden> Wed, 01 Apr 2015 19:53:13 +0200

Changed in postgis (Ubuntu Vivid):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-04-02:

#9

This bug was fixed in the package postgis - 2.1.3+dfsg-4ubuntu0.1

---------------
postgis (2.1.3+dfsg-4ubuntu0.1) utopic-security; urgency=high

  * SECURITY UPDATE: crash of the database backend process when given
    invalid GeoJSON data (LP: #1438875)
    - debian/patches/geojson-fix-3094.patch: back-ported from the 2.1.7
      release, taken from debian patch by Markus Wanner.
    - No CVE number
-- Johan Van de Wauw <email address hidden> Wed, 01 Apr 2015 19:53:13 +0200

Changed in postgis (Ubuntu Utopic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-04-02:

#10

This bug was fixed in the package postgis - 2.1.2+dfsg-2ubuntu0.1

---------------
postgis (2.1.2+dfsg-2ubuntu0.1) trusty-security; urgency=high

  * SECURITY UPDATE: crash of the database backend process when given
    invalid GeoJSON data (LP: #1438875)
    - debian/patches/geojson-fix-3094.patch: back-ported from the 2.1.7
      release, taken from debian patch by Markus Wanner.
    - No CVE number
-- Johan Van de Wauw <email address hidden> Wed, 01 Apr 2015 21:29:10 +0200

Changed in postgis (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

debbugs #781579
[done normal confirmed] Edit

Bug watches keep track of this bug in other bug trackers.