Ticket #2943 (closed defect: fixed)

Opened 6 years ago

Last modified 5 years ago

Setting CONTENT_LENGTH of -1 for a POST request can lead to a buffer underflow error.

Reported by: sdlime Owned by: sdlime
Priority: high Milestone: 6.0 release
Component: MapServer CGI Version: unspecified
Severity: normal Keywords:
Cc: dmorissette

Description

In cgiutil.c MapServer does not properly handle CONTENT_LENGTHs less than 0 and can lead to an out-of-bounds memory write. Solution, don't allow it.

Steve

Change History

  Changed 6 years ago by sdlime

  • status changed from new to assigned

Referencing CVE-2009-0840...

  Changed 5 years ago by dmorissette

  • cc dmorissette added

  Changed 5 years ago by sdlime

  • milestone changed from 5.2.2 release to 5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.

Steve

  Changed 5 years ago by sdlime

  • milestone changed from 5.4 release to 6.0 release

Fixed in 5.4 branch in r8852. Moving to 6.0/trunk.

Steve

  Changed 5 years ago by sdlime

  • status changed from assigned to closed
  • resolution set to fixed
  • component changed from MapServer C Library to MapServer CGI

Fixed a while ago in trunk. No documentation changes or anything necessary so closing...

Steve

  Changed 5 years ago by sdlime

  • status changed from closed to reopened
  • resolution fixed deleted

Seems change to unsigned int is not sufficient. Need a more brute force test against the CONTENT_LENGTH value to make sure it is greater than zero.

Steve

  Changed 5 years ago by sdlime

Added test to confirm the content-length > 0. Committed in r9125 (5.4), r9126 (5.2), r9127 (trunk).

Steve

  Changed 5 years ago by sdlime

Which other versions should be patched? Assuming Alan will handle 5.0.

-Steve

follow-up: ↓ 10   Changed 5 years ago by dmorissette

  • status changed from reopened to closed
  • resolution set to fixed

After further review with a member of the Debian Security team, we've found out that the patches above do not fix the issue either.

A new (and hopefully final) fix has been prepared and committed in r9171 (trunk), r9172 (branch-5-4), r9173 (branch-5-2), r9174 (branch-5-0) and r9175 (branch-4-10).

in reply to: ↑ 9   Changed 5 years ago by tamas

  • status changed from closed to reopened
  • resolution fixed deleted

Replying to dmorissette:

After further review with a member of the Debian Security team, we've found out that the patches above do not fix the issue either. A new (and hopefully final) fix has been prepared and committed in r9171 (trunk), r9172 (branch-5-4), r9173 (branch-5-2), r9174 (branch-5-0) and r9175 (branch-4-10).

SIZE_MAX is not defined for MSVC2003 causing a compiler error. I've applied a fix in r9179 and r9178 you might want to back port it to the remaining affected branches.

  Changed 5 years ago by aboudreault

  • status changed from reopened to closed
  • resolution set to fixed

SIZE_MAX fix backported in r9187 (branch-5-2), r9188 (branch-5-0), r9189 (branch-4-10).

  Changed 5 years ago by sdlime

Alan: Where all the other security fixes (templates, buffer overflows, etc...) all ported to 5.0 branch as well? I didn't do it...

Steve

  Changed 5 years ago by aboudreault

The other security fixes have been committed in branch 5.0 in r9199.

Note: See TracTickets for help on using tickets.