Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#3641 closed defect (fixed)

CVE-2010-1678: Improper validation of symbol index values.

Reported by: sdlime Owned by: aboudreault
Priority: highest Milestone:
Component: Security/Vulnerability (Public) Version: unspecified
Severity: critical Keywords:
Cc: dmorissette

Description

Mapfile parsing does not properly validate symbols referenced by index. Also applies to URL changes, which is the more significant issue. The result can be an segfault from an invalid array index.

Fix is to do a bounds check on symbol values once the parse is complete.

Vulnerability exists in trunk, 5.2, 5.4, 5.6 and perhaps other versions. Mapfile issue is not as severe and probably has existed for years.

Steve

Attachments (5)

symbol_index_overflow-branch-5-6.patch (2.7 KB ) - added by aboudreault 13 years ago.
Branch 5.6 patch for symbol index overflow
symbol_index_overflow-branch-5-4.patch (2.8 KB ) - added by aboudreault 13 years ago.
Branch 5.4 patch for symbol index overflow
symbol_index_overflow-trunk.patch (2.8 KB ) - added by aboudreault 13 years ago.
Trunk patch for symbol index overflow
symbol_index_overflow-branch-5-2.patch (2.8 KB ) - added by aboudreault 13 years ago.
Branch 5.2 patch for symbol index overflow
symbol_index_overflow-branch-5-0.patch (1.8 KB ) - added by aboudreault 13 years ago.
Branch 5.0 patch for symbol index overflow

Download all attachments as: .zip

Change History (12)

comment:1 by sdlime, 13 years ago

Might consider creating an MS_IS_VALID_INDEX macro. It would take index and a max value. If index is between 0 and max then it return MS_TRUE.

Steve

comment:2 by aboudreault, 13 years ago

Summary: Improper validation of symbol index values.CVE-2010-1678: Improper validation of symbol index values.

Updated the ticket with the CVE id.

comment:3 by dmorissette, 13 years ago

Cc: dmorissette added

comment:4 by aboudreault, 13 years ago

Steve, I have deleted your attachement to avoid any wrong fixes from the users since it was containing a small typo (was using > rather than >= during the index range check).

The official patch for trunk is committed in r10809 and r10830.

comment:5 by aboudreault, 13 years ago

Component: VulnerabilitiesVulnerabilities Fixed
Resolution: fixed
Status: newclosed

Fixed. Moving ticket privacy to public.

comment:6 by aboudreault, 13 years ago

Component: Security/Vulnerability (Public)Security/Vulnerability (Private)

comment:7 by aboudreault, 13 years ago

Component: Security/Vulnerability (Private)Security/Vulnerability (Public)

by aboudreault, 13 years ago

Attachment: symbol_index_overflow-branch-5-6.patch added

Branch 5.6 patch for symbol index overflow

by aboudreault, 13 years ago

Attachment: symbol_index_overflow-branch-5-4.patch added

Branch 5.4 patch for symbol index overflow

by aboudreault, 13 years ago

Attachment: symbol_index_overflow-trunk.patch added

Trunk patch for symbol index overflow

by aboudreault, 13 years ago

Attachment: symbol_index_overflow-branch-5-2.patch added

Branch 5.2 patch for symbol index overflow

by aboudreault, 13 years ago

Attachment: symbol_index_overflow-branch-5-0.patch added

Branch 5.0 patch for symbol index overflow

Note: See TracTickets for help on using tickets.