Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#2944 closed defect (fixed)

CGI file creation does not adequately check input which could lead to a buffer overflow.

Reported by: sdlime Owned by: sdlime
Priority: highest Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc: dmorissette

Description

Several places in mapserv.c and maptemplate.c create temporary file names using a static buffer. Several values including map->name and map->imagepath are used to create file names for things like maps, legends and such. If a mapfile were crafted with very long values for those parameters it is possible to overflow the static buffer.

Solution is to use snprintf instead of sprintf to ensure that a limited number of characters can be written to the static buffer. If more characters are present then MapServer will throw an error about not being able to open a file for writing.

Steve

Change History (9)

comment:1 Changed 6 years ago by sdlime

  • Status changed from new to assigned

comment:2 Changed 6 years ago by sdlime

Referencing CVE-2009-0839...

comment:3 Changed 6 years ago by dmorissette

  • Cc dmorissette added

comment:4 Changed 6 years ago by sdlime

  • Milestone changed from 5.2.2 release to 5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.

Steve

comment:5 Changed 6 years ago by sdlime

Fixed in 5.4 branch in r8856, moving to 6.0/trunk.

Steve

comment:6 Changed 6 years ago by sdlime

  • Milestone changed from 5.4 release to 6.0 release

comment:7 Changed 6 years ago by sdlime

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in trunk, closing. -Steve

comment:8 Changed 6 years ago by sdlime

Referencing CVE-2009-1177... Steve

comment:9 Changed 6 years ago by aboudreault

Backported to branch-5-0 in r9199

Note: See TracTickets for help on using tickets.