497302 – (CVE-2013-7262) <sci-geosciences/mapserver-7.0.0: PostGIS TIME Filter SQL Injection Vulnerability (CVE-2013-7262)

Bug 497302 (CVE-2013-7262) - <sci-geosciences/mapserver-7.0.0: PostGIS TIME Filter SQL Injection Vulnerability (CVE-2013-7262)

Summary: <sci-geosciences/mapserver-7.0.0: PostGIS TIME Filter SQL Injection Vulnerabi...

Status:	RESOLVED FIXED

Alias:	CVE-2013-7262

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/56155/
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:	471250
Blocks:
	Show dependency tree

Reported:	2014-01-06 18:45 UTC by Agostino Sarubbo
Modified:	2016-03-29 07:33 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-01-06 18:45:08 UTC

From ${URL} :

Description

A vulnerability has been reported in MapServer, which can be exploited by malicious people to 
conduct SQL injection attacks.

Certain unspecified input passed via PostGIS TIME filters is not properly sanitised before being 
used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL 
code.

Successful exploitation requires PostGIS to be used and WMS-Time to be configured.

The vulnerability is reported in versions prior to 6.4.1.


Solution:
Update to version 6.4.1.

Provided and/or discovered by:
The vendor credits Even Rouault.

Original Advisory:
http://www.mapserver.org/development/changelog/changelog-6-4.html#changes-from-6-4-0-to-6-4-1


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2014-01-11 22:30:27 UTC

CVE-2013-7262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7262):
  SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in
  mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used,
  allows remote attackers to execute arbitrary SQL commands via a crafted
  string in a PostGIS TIME filter.

Comment 2 Thomas Beutin 2014-06-29 15:45:03 UTC

(In reply to GLSAMaker/CVETool Bot from comment #1)
> CVE-2013-7262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7262):
>   SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in
>   mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used,
>   allows remote attackers to execute arbitrary SQL commands via a crafted
>   string in a PostGIS TIME filter.

This CVE is also fixed in mapserver-6.2.2 (according to http://mapserver.org/development/changelog/changelog-6-2-2.html) and mapserver-6.0.4 (according to http://mapserver.org/development/changelog/changelog-6-0-4.html). So there is no need to do the "big step" to the 6.4.x or 6.2.x line (but check bug 471250 for 6.2.x).

If i could compile either 6.0.1 or 6.2.1 i would check if a rename of the ebuild is sufficient, but unfortunately in run into lapack/blas issues...

Comment 3 Brian Evans (RETIRED) gentoo-dev

2015-02-04 20:11:24 UTC

@security:

I would treat this as maintainer-needed.
fordfrog, the only member of sci-geosciences herd, told me "I have nothing to do with it" when I inquired about fixing PHP support.

Comment 4 Amy Liffey gentoo-dev

2016-02-27 12:28:48 UTC

author	        Amy Winston <amynka@gentoo.org>	2016-02-27 12:20:01 (GMT)
committer	Amy Winston <amynka@gentoo.org>	2016-02-27 12:20:01 (GMT)
commit	64b32d1e88e7adfb309a96cc940300fb08ecd66c

sci-geosciences/mapserver: drop old security bug #497302

It should be now fixed.

Amy

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2016-03-29 07:32:36 UTC

committed per previous comment and all vulnerable versions removed.