Ticket #2944 (closed defect: fixed)

Opened 6 years ago

Last modified 5 years ago

CGI file creation does not adequately check input which could lead to a buffer overflow.

Reported by: sdlime Owned by: sdlime
Priority: highest Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc: dmorissette

Description

Several places in mapserv.c and maptemplate.c create temporary file names using a static buffer. Several values including map->name and map->imagepath are used to create file names for things like maps, legends and such. If a mapfile were crafted with very long values for those parameters it is possible to overflow the static buffer.

Solution is to use snprintf instead of sprintf to ensure that a limited number of characters can be written to the static buffer. If more characters are present then MapServer will throw an error about not being able to open a file for writing.

Steve

Change History

Changed 6 years ago by sdlime

  • status changed from new to assigned

Changed 6 years ago by sdlime

Referencing CVE-2009-0839...

Changed 5 years ago by dmorissette

  • cc dmorissette added

Changed 5 years ago by sdlime

  • milestone changed from 5.2.2 release to 5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.

Steve

Changed 5 years ago by sdlime

Fixed in 5.4 branch in r8856, moving to 6.0/trunk.

Steve

Changed 5 years ago by sdlime

  • milestone changed from 5.4 release to 6.0 release

Changed 5 years ago by sdlime

  • status changed from assigned to closed
  • resolution set to fixed

Fixed in trunk, closing. -Steve

Changed 5 years ago by sdlime

Referencing CVE-2009-1177... Steve

Changed 5 years ago by aboudreault

Backported to branch-5-0 in r9199

Note: See TracTickets for help on using tickets.