CGI file creation does not adequately check input which could lead to a buffer overflow.
Several places in mapserv.c and maptemplate.c create temporary file names using a static buffer. Several values including map->name and map->imagepath are used to create file names for things like maps, legends and such. If a mapfile were crafted with very long values for those parameters it is possible to overflow the static buffer.
Solution is to use snprintf instead of sprintf to ensure that a limited number of characters can be written to the static buffer. If more characters are present then MapServer will throw an error about not being able to open a file for writing.
Steve
Change History
(9)
Milestone: |
5.2.2 release → 5.4 release
|
Milestone: |
5.4 release → 6.0 release
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
Referencing CVE-2009-0839...