Bug 509559 (CVE-2009-2281)

Summary: CVE-2009-2281 mapserver: incomplete upstream fix for CVE-2009-0840
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cristian.balint, devrim, oliver, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-26 21:40:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-07-03 14:21:27 UTC 
Nico Golde reported, that upstream fix for mapserver's security flaw CVE-2009-0840 is incomplete and does not correctly handle case when value of 0xffffffff is specified in Content-Length header.  During the memory allocation +1 is added to the user-specified content-length value.  Therefore malloc may be called with argument 0, typically resulting in small memory chuck to be allocated.

References:
http://thread.gmane.org/gmane.comp.security.oss.general/1861
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027#14
Comment 1 Vincent Danen 2011-09-26 21:40:51 UTC 
This flaw was fixed upstream in version 4.10.5, 5.2.3, and 5.4.2:

http://osgeo-org.1803224.n2.nabble.com/MapServer-5-4-2-released-also-5-2-3-and-4-10-5-td3315624.html

Current Fedora release is 5.6.7 and EPEL5 is 4.10.5, all of which contain the fix.