Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#3641 closed defect (fixed)

CVE-2010-1678: Improper validation of symbol index values.

Reported by: sdlime Owned by: aboudreault
Priority: highest Milestone:
Component: Security/Vulnerability (Public) Version: unspecified
Severity: critical Keywords:
Cc: dmorissette

Description

Mapfile parsing does not properly validate symbols referenced by index. Also applies to URL changes, which is the more significant issue. The result can be an segfault from an invalid array index.

Fix is to do a bounds check on symbol values once the parse is complete.

Vulnerability exists in trunk, 5.2, 5.4, 5.6 and perhaps other versions. Mapfile issue is not as severe and probably has existed for years.

Steve

Attachments (5)

symbol_index_overflow-branch-5-6.patch (2.7 KB) - added by aboudreault 9 years ago.
Branch 5.6 patch for symbol index overflow
symbol_index_overflow-branch-5-4.patch (2.8 KB) - added by aboudreault 9 years ago.
Branch 5.4 patch for symbol index overflow
symbol_index_overflow-trunk.patch (2.8 KB) - added by aboudreault 9 years ago.
Trunk patch for symbol index overflow
symbol_index_overflow-branch-5-2.patch (2.8 KB) - added by aboudreault 9 years ago.
Branch 5.2 patch for symbol index overflow
symbol_index_overflow-branch-5-0.patch (1.8 KB) - added by aboudreault 9 years ago.
Branch 5.0 patch for symbol index overflow

Download all attachments as: .zip

Change History (12)

comment:1 Changed 9 years ago by sdlime

Might consider creating an MS_IS_VALID_INDEX macro. It would take index and a max value. If index is between 0 and max then it return MS_TRUE.

Steve

comment:2 Changed 9 years ago by aboudreault

Summary: Improper validation of symbol index values.CVE-2010-1678: Improper validation of symbol index values.

Updated the ticket with the CVE id.

comment:3 Changed 9 years ago by dmorissette

Cc: dmorissette added

comment:4 Changed 9 years ago by aboudreault

Steve, I have deleted your attachement to avoid any wrong fixes from the users since it was containing a small typo (was using > rather than >= during the index range check).

The official patch for trunk is committed in r10809 and r10830.

comment:5 Changed 9 years ago by aboudreault

Component: VulnerabilitiesVulnerabilities Fixed
Resolution: fixed
Status: newclosed

Fixed. Moving ticket privacy to public.

comment:6 Changed 9 years ago by aboudreault

Component: Security/Vulnerability (Public)Security/Vulnerability (Private)

comment:7 Changed 9 years ago by aboudreault

Component: Security/Vulnerability (Private)Security/Vulnerability (Public)

Changed 9 years ago by aboudreault

Attachment: symbol_index_overflow-branch-5-6.patch added

Branch 5.6 patch for symbol index overflow

Changed 9 years ago by aboudreault

Attachment: symbol_index_overflow-branch-5-4.patch added

Branch 5.4 patch for symbol index overflow

Changed 9 years ago by aboudreault

Attachment: symbol_index_overflow-trunk.patch added

Trunk patch for symbol index overflow

Changed 9 years ago by aboudreault

Attachment: symbol_index_overflow-branch-5-2.patch added

Branch 5.2 patch for symbol index overflow

Changed 9 years ago by aboudreault

Attachment: symbol_index_overflow-branch-5-0.patch added

Branch 5.0 patch for symbol index overflow

Note: See TracTickets for help on using tickets.