Opened 14 years ago
Closed 14 years ago
Last modified 14 years ago
#2944 closed defect (fixed)
CGI file creation does not adequately check input which could lead to a buffer overflow.
|Reported by:||sdlime||Owned by:||sdlime|
|Component:||MapServer C Library||Version:||unspecified|
Several places in mapserv.c and maptemplate.c create temporary file names using a static buffer. Several values including map->name and map->imagepath are used to create file names for things like maps, legends and such. If a mapfile were crafted with very long values for those parameters it is possible to overflow the static buffer.
Solution is to use snprintf instead of sprintf to ensure that a limited number of characters can be written to the static buffer. If more characters are present then MapServer will throw an error about not being able to open a file for writing.
Change History (9)
comment:1 by , 14 years ago
|Status:||new → assigned|
comment:2 by , 14 years ago
comment:3 by , 14 years ago
comment:4 by , 14 years ago
|Milestone:||5.2.2 release → 5.4 release|
comment:5 by , 14 years ago
Fixed in 5.4 branch in r8856, moving to 6.0/trunk.
comment:6 by , 14 years ago
|Milestone:||5.4 release → 6.0 release|
comment:7 by , 14 years ago
|Status:||assigned → closed|
Fixed in trunk, closing. -Steve
comment:8 by , 14 years ago
Referencing CVE-2009-1177... Steve
comment:9 by , 14 years ago
Backported to branch-5-0 in r9199