Ubuntu
mapserver package

Possible SQL Injections with postgis TIME filters

Bug #1267616 reported by Johan Van de Wauw
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mapserver (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Medium
Unassigned
Quantal
Fix Released
Medium
Unassigned
Raring
Fix Released
Medium
Unassigned
Saucy
Fix Released
Medium
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

See:

As part of @rouault 's WFS 2.0 work he discovered a SQL injection issue specific to WMS-Time and perhaps SOS services. It has to do with PostGIS and time validation. Based on Even's tests for WMS-Time the vulnerability is limited to unintended disclosure of data from the specific table, if specific conditions are met:

WMS-Time is configured
PostGIS is used
GetFeatureInfo output formats dump all attributes (e.g. gmlitems all)
Basically you can muck with the where clause but can’t execute secondary commands (e.g. delete …). It may be possible to access unintended data through the map itself (e.g. via a label item) but that seems pretty hard. Again, SOS services have not been examined.

https://github.com/mapserver/mapserver/issues/4834

Fixes have been issued at: http://mapserver.org/ The issue is solved in debian and is fixed in trusty.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in mapserver (Ubuntu):
status: New → Incomplete
Revision history for this message
Johan Van de Wauw (johanvdw) wrote :

Debdiff for precise.

Revision history for this message
Johan Van de Wauw (johanvdw) wrote :

Patch for quantal

Revision history for this message
Johan Van de Wauw (johanvdw) wrote :

Debdiff for raring

Revision history for this message
Johan Van de Wauw (johanvdw) wrote :

Saucy debdiff

Johan Van de Wauw (johanvdw)
Changed in mapserver (Ubuntu):
status: Incomplete → Confirmed
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Changed in mapserver (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in mapserver (Ubuntu Precise):
status: New → Confirmed
Changed in mapserver (Ubuntu Quantal):
status: New → Confirmed
Changed in mapserver (Ubuntu Raring):
status: New → Confirmed
Changed in mapserver (Ubuntu Saucy):
status: New → Confirmed
Changed in mapserver (Ubuntu Precise):
importance: Undecided → Medium
Changed in mapserver (Ubuntu Quantal):
importance: Undecided → Medium
Changed in mapserver (Ubuntu Raring):
importance: Undecided → Medium
Changed in mapserver (Ubuntu Saucy):
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs.

I have slightly modified the changelogs to have the correct release and version number, and have added the bug link.
A also needed to add a fix to the raring package so it would build. I'm not sure how you managed to build it.

Updates are currently building and will be published today. Thanks!

Changed in mapserver (Ubuntu Precise):
status: Confirmed → Fix Committed
Changed in mapserver (Ubuntu Quantal):
status: Confirmed → Fix Committed
Changed in mapserver (Ubuntu Raring):
status: Confirmed → Fix Committed
Changed in mapserver (Ubuntu Saucy):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 6.0.1-2ubuntu1.1

---------------
mapserver (6.0.1-2ubuntu1.1) precise-security; urgency=low

  * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
    msPostGISLayerSetTimeFilter function in mappostgis.c. (LP: #1267616)
 -- Johan Van de Wauw <email address hidden> Sun, 12 Jan 2014 21:07:15 +0100

Changed in mapserver (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 6.0.1-3.2ubuntu0.13.04.1

---------------
mapserver (6.0.1-3.2ubuntu0.13.04.1) raring-security; urgency=low

  [ Johan Van de Wauw ]
  * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
    msPostGISLayerSetTimeFilter function in mappostgis.c. (LP: #1267616)

  [ Marc Deslauriers ]
  * Fix FTBFS by linking executables with -ldl.
 -- Marc Deslauriers <email address hidden> Tue, 14 Jan 2014 08:23:26 -0500

Changed in mapserver (Ubuntu Raring):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 6.2.1-3ubuntu0.1

---------------
mapserver (6.2.1-3ubuntu0.1) saucy-security; urgency=low

  * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
    msPostGISLayerSetTimeFilter function in mappostgis.c. (LP: #1267616)
 -- Johan Van de Wauw <email address hidden> Sun, 12 Jan 2014 21:35:48 +0100

Changed in mapserver (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 6.0.1-3.2ubuntu0.12.10.1

---------------
mapserver (6.0.1-3.2ubuntu0.12.10.1) quantal-security; urgency=low

  * Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
    msPostGISLayerSetTimeFilter function in mappostgis.c. (LP: #1267616)
 -- Johan Van de Wauw <email address hidden> Sun, 12 Jan 2014 21:21:10 +0100

Changed in mapserver (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.