#2943 closed defect (fixed)
Setting CONTENT_LENGTH of -1 for a POST request can lead to a buffer underflow error.
Reported by: | sdlime | Owned by: | sdlime |
---|---|---|---|
Priority: | high | Milestone: | 6.0 release |
Component: | MapServer CGI | Version: | unspecified |
Severity: | normal | Keywords: | |
Cc: | dmorissette |
Description
In cgiutil.c MapServer does not properly handle CONTENT_LENGTHs less than 0 and can lead to an out-of-bounds memory write. Solution, don't allow it.
Steve
Change History (13)
comment:1 by , 15 years ago
Status: | new → assigned |
---|
comment:2 by , 15 years ago
Cc: | added |
---|
comment:3 by , 15 years ago
Milestone: | 5.2.2 release → 5.4 release |
---|
comment:4 by , 15 years ago
Milestone: | 5.4 release → 6.0 release |
---|
Fixed in 5.4 branch in r8852. Moving to 6.0/trunk.
Steve
comment:5 by , 14 years ago
Component: | MapServer C Library → MapServer CGI |
---|---|
Resolution: | → fixed |
Status: | assigned → closed |
Fixed a while ago in trunk. No documentation changes or anything necessary so closing...
Steve
comment:6 by , 14 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
Seems change to unsigned int is not sufficient. Need a more brute force test against the CONTENT_LENGTH value to make sure it is greater than zero.
Steve
comment:7 by , 14 years ago
comment:8 by , 14 years ago
Which other versions should be patched? Assuming Alan will handle 5.0.
-Steve
follow-up: 10 comment:9 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
comment:10 by , 14 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
Replying to dmorissette:
After further review with a member of the Debian Security team, we've found out that the patches above do not fix the issue either.
A new (and hopefully final) fix has been prepared and committed in r9171 (trunk), r9172 (branch-5-4), r9173 (branch-5-2), r9174 (branch-5-0) and r9175 (branch-4-10).
SIZE_MAX is not defined for MSVC2003 causing a compiler error. I've applied a fix in r9179 and r9178 you might want to back port it to the remaining affected branches.
comment:11 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
comment:12 by , 14 years ago
Alan: Where all the other security fixes (templates, buffer overflows, etc...) all ported to 5.0 branch as well? I didn't do it...
Steve
Referencing CVE-2009-0840...