Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#2943 closed defect (fixed)

Setting CONTENT_LENGTH of -1 for a POST request can lead to a buffer underflow error.

Reported by: sdlime Owned by: sdlime
Priority: high Milestone: 6.0 release
Component: MapServer CGI Version: unspecified
Severity: normal Keywords:
Cc: dmorissette

Description

In cgiutil.c MapServer does not properly handle CONTENT_LENGTHs less than 0 and can lead to an out-of-bounds memory write. Solution, don't allow it.

Steve

Change History (13)

comment:1 by sdlime, 14 years ago

Status: newassigned

Referencing CVE-2009-0840...

comment:2 by dmorissette, 14 years ago

Cc: dmorissette added

comment:3 by sdlime, 14 years ago

Milestone: 5.2.2 release5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.

Steve

comment:4 by sdlime, 14 years ago

Milestone: 5.4 release6.0 release

Fixed in 5.4 branch in r8852. Moving to 6.0/trunk.

Steve

comment:5 by sdlime, 14 years ago

Component: MapServer C LibraryMapServer CGI
Resolution: fixed
Status: assignedclosed

Fixed a while ago in trunk. No documentation changes or anything necessary so closing...

Steve

comment:6 by sdlime, 14 years ago

Resolution: fixed
Status: closedreopened

Seems change to unsigned int is not sufficient. Need a more brute force test against the CONTENT_LENGTH value to make sure it is greater than zero.

Steve

comment:7 by sdlime, 14 years ago

Added test to confirm the content-length > 0. Committed in r9125 (5.4), r9126 (5.2), r9127 (trunk).

Steve

comment:8 by sdlime, 14 years ago

Which other versions should be patched? Assuming Alan will handle 5.0.

-Steve

comment:9 by dmorissette, 14 years ago

Resolution: fixed
Status: reopenedclosed

After further review with a member of the Debian Security team, we've found out that the patches above do not fix the issue either.

A new (and hopefully final) fix has been prepared and committed in r9171 (trunk), r9172 (branch-5-4), r9173 (branch-5-2), r9174 (branch-5-0) and r9175 (branch-4-10).

in reply to:  9 comment:10 by tamas, 14 years ago

Resolution: fixed
Status: closedreopened

Replying to dmorissette:

After further review with a member of the Debian Security team, we've found out that the patches above do not fix the issue either.

A new (and hopefully final) fix has been prepared and committed in r9171 (trunk), r9172 (branch-5-4), r9173 (branch-5-2), r9174 (branch-5-0) and r9175 (branch-4-10).

SIZE_MAX is not defined for MSVC2003 causing a compiler error. I've applied a fix in r9179 and r9178 you might want to back port it to the remaining affected branches.

comment:11 by aboudreault, 14 years ago

Resolution: fixed
Status: reopenedclosed

SIZE_MAX fix backported in r9187 (branch-5-2), r9188 (branch-5-0), r9189 (branch-4-10).

comment:12 by sdlime, 14 years ago

Alan: Where all the other security fixes (templates, buffer overflows, etc...) all ported to 5.0 branch as well? I didn't do it...

Steve

comment:13 by aboudreault, 14 years ago

The other security fixes have been committed in branch 5.0 in r9199.

Note: See TracTickets for help on using tickets.