Ticket #3641 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

CVE-2010-1678: Improper validation of symbol index values.

Reported by: sdlime Owned by: aboudreault
Priority: highest Milestone:
Component: Security/Vulnerability (Public) Version: unspecified
Severity: critical Keywords:
Cc: dmorissette

Description

Mapfile parsing does not properly validate symbols referenced by index. Also applies to URL changes, which is the more significant issue. The result can be an segfault from an invalid array index.

Fix is to do a bounds check on symbol values once the parse is complete.

Vulnerability exists in trunk, 5.2, 5.4, 5.6 and perhaps other versions. Mapfile issue is not as severe and probably has existed for years.

Steve

Attachments

symbol_index_overflow-branch-5-6.patch Download (2.7 KB) - added by aboudreault 2 years ago.
Branch 5.6 patch for symbol index overflow
symbol_index_overflow-branch-5-4.patch Download (2.8 KB) - added by aboudreault 2 years ago.
Branch 5.4 patch for symbol index overflow
symbol_index_overflow-trunk.patch Download (2.8 KB) - added by aboudreault 2 years ago.
Trunk patch for symbol index overflow
symbol_index_overflow-branch-5-2.patch Download (2.8 KB) - added by aboudreault 2 years ago.
Branch 5.2 patch for symbol index overflow
symbol_index_overflow-branch-5-0.patch Download (1.8 KB) - added by aboudreault 2 years ago.
Branch 5.0 patch for symbol index overflow

Change History

Changed 2 years ago by sdlime

Might consider creating an MS_IS_VALID_INDEX macro. It would take index and a max value. If index is between 0 and max then it return MS_TRUE.

Steve

Changed 2 years ago by aboudreault

  • summary changed from Improper validation of symbol index values. to CVE-2010-1678: Improper validation of symbol index values.

Updated the ticket with the CVE id.

Changed 2 years ago by dmorissette

  • cc dmorissette added

Changed 2 years ago by aboudreault

Steve, I have deleted your attachement to avoid any wrong fixes from the users since it was containing a small typo (was using > rather than >= during the index range check).

The official patch for trunk is committed in r10809 and r10830.

Changed 2 years ago by aboudreault

  • status changed from new to closed
  • resolution set to fixed
  • component changed from Vulnerabilities to Vulnerabilities Fixed

Fixed. Moving ticket privacy to public.

Changed 2 years ago by aboudreault

  • component changed from Security/Vulnerability (Public) to Security/Vulnerability (Private)

Changed 2 years ago by aboudreault

  • component changed from Security/Vulnerability (Private) to Security/Vulnerability (Public)

Changed 2 years ago by aboudreault

Branch 5.6 patch for symbol index overflow

Changed 2 years ago by aboudreault

Branch 5.4 patch for symbol index overflow

Changed 2 years ago by aboudreault

Trunk patch for symbol index overflow

Changed 2 years ago by aboudreault

Branch 5.2 patch for symbol index overflow

Changed 2 years ago by aboudreault

Branch 5.0 patch for symbol index overflow

Note: See TracTickets for help on using tickets.