Bug 493364 (CVE-2009-0839, CVE-2009-0840, CVE-2009-0841, CVE-2009-0842, CVE-2009-0843, CVE-2009-1176, CVE-2009-1177)

Summary: mapserver: multiple security fixes in 5.2.2 and 4.10.4 (CVE-2009-0839, CVE-2009-0840, CVE-2009-0841, CVE-2009-0842, CVE-2009-0843, CVE-2009-1176, CVE-2009-1177)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cristian.balint, devrim, oliver
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:18:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-04-01 15:02:45 UTC 
New upstream mapserver versions 5.2.2 and 4.10.4 have been released:

  http://lists.osgeo.org/pipermail/mapserver-users/2009-March/060600.html

to address multiple security issues found during the security audit of the mapserver's code.  Details about issues fixed:

  http://www.securityfocus.com/archive/1/archive/1/502271/100/0/threaded
  http://www.positronsecurity.com/advisories/2009-000.html

CVE assigned to the issues:

CVE-2009-0839:
Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x
before 4.10.4 and 5.x before 5.2.2, when the server has a map with a
long IMAGEPATH or NAME attribute, allows remote attackers to execute
arbitrary code via a crafted id parameter in a query action.
http://trac.osgeo.org/mapserver/ticket/2944

(Fedora packages are built with FORTIFY_SOURCE, which should catch this problem and reduce impact to non-exploitable crash.)

CVE-2009-0840:
Heap-based buffer underflow in the readPostBody function in cgiutil.c
in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows
remote attackers to have an unknown impact via a negative value in the
Content-Length HTTP header. 
http://trac.osgeo.org/mapserver/ticket/2943

(Original advisory mentions it should not be possible to trigger this when using httpd 2.2.x at least.)

CVE-2009-0841:
Directory traversal vulnerability in mapserv.c in mapserv in MapServer
4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with
Cygwin, allows remote attackers to create arbitrary files via a ..
(dot dot) in the id parameter.
http://trac.osgeo.org/mapserver/ticket/2942

(See advisory for more details about conditions when this might be exploitable on non-Windows systems.)

CVE-2009-0842:
mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows
remote attackers to read arbitrary invalid .map files via a full
pathname in the map parameter, which triggers the display of partial
file contents within an error message, as demonstrated by a
/tmp/sekrut.map symlink. 
http://trac.osgeo.org/mapserver/ticket/2941 

CVE-2009-0843:
The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and
5.x before 5.2.2 allows remote attackers to determine the existence of
arbitrary files via a full pathname in the queryfile parameter, which
triggers different error messages depending on whether this pathname
exists. 
http://trac.osgeo.org/mapserver/ticket/2939

CVE-2009-1176:
mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before
5.2.2 does not ensure that the string holding the id parameter ends in
a '\0' character, which allows remote attackers to conduct
buffer-overflow attacks or have unspecified other impact via a long id
parameter in a query action.

(Related to CVE-2009-0839, see advisory for details.)

CVE-2009-1177:
Multiple stack-based buffer overflows in maptemplate.c in mapserv in
MapServer 4.x before 4.10.4 and 5.x before 5.2.2 have unknown impact
and remote attack vectors. 
http://trac.osgeo.org/mapserver/ticket/2944
Comment 1 Fedora Update System 2009-04-04 23:57:24 UTC 
mapserver-5.2.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mapserver-5.2.2-1.fc9
Comment 2 Fedora Update System 2009-04-04 23:58:15 UTC 
mapserver-5.2.2-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mapserver-5.2.2-1.fc10
Comment 3 Fedora Update System 2009-04-06 20:31:06 UTC 
mapserver-5.2.2-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2009-04-06 20:32:57 UTC 
mapserver-5.2.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.