Summary: | <sci-geosciences/mapserver-7.0.0: PostGIS TIME Filter SQL Injection Vulnerability (CVE-2013-7262) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | sci-geosciences |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/56155/ | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 471250 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-01-06 18:45:08 UTC
CVE-2013-7262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7262): SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter. (In reply to GLSAMaker/CVETool Bot from comment #1) > CVE-2013-7262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7262): > SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in > mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, > allows remote attackers to execute arbitrary SQL commands via a crafted > string in a PostGIS TIME filter. This CVE is also fixed in mapserver-6.2.2 (according to http://mapserver.org/development/changelog/changelog-6-2-2.html) and mapserver-6.0.4 (according to http://mapserver.org/development/changelog/changelog-6-0-4.html). So there is no need to do the "big step" to the 6.4.x or 6.2.x line (but check bug 471250 for 6.2.x). If i could compile either 6.0.1 or 6.2.1 i would check if a rename of the ebuild is sufficient, but unfortunately in run into lapack/blas issues... @security: I would treat this as maintainer-needed. fordfrog, the only member of sci-geosciences herd, told me "I have nothing to do with it" when I inquired about fixing PHP support. author Amy Winston <amynka@gentoo.org> 2016-02-27 12:20:01 (GMT) committer Amy Winston <amynka@gentoo.org> 2016-02-27 12:20:01 (GMT) commit 64b32d1e88e7adfb309a96cc940300fb08ecd66c sci-geosciences/mapserver: drop old security bug #497302 It should be now fixed. Amy committed per previous comment and all vulnerable versions removed. |