Ticket #3484 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

Buffer overflow in msTmpFile()

Reported by: dmorissette Owned by: dmorissette
Priority: normal Milestone: 5.6.4 release
Component: MapServer C Library Version: 5.6
Severity: normal Keywords:
Cc: sdlime, aboudreault

Description

A buffer overflow has been found in msTmpFile() when the ForcedTmpBase? param is used.

This issue was found as part of a security audit of the MapServer 5.6 source. All versions going back to 4.10 (and possibly older ones) are affected.

Change History

Changed 3 years ago by dmorissette

  • status changed from new to assigned

Committed a fix for the buffer overflow in SVN branch-5-6 r10305 (will be in 5.6.4).

I will also backport the fix to older releases.

Changed 3 years ago by dmorissette

  • cc aboudreault added

Changed 3 years ago by dmorissette

  • status changed from assigned to closed
  • resolution set to fixed

Backported fix to SVN branch-5-4 (r10310), branch-5-2 (r10311), branch-5-0 (r10312) and branch-4-10 (r10313)

Closing.

Changed 3 years ago by dmorissette

Applied fix to SVN trunk r10318

Changed 3 years ago by dmorissette

I modified msTmpFile() in r10458 (trunk only) to use snprintf instead of sprintf

Note: See TracTickets for help on using tickets.