Bug 723293 (CVE-2011-2703, CVE-2011-2704, CVE-2011-2975)

Summary: CVE-2011-2703 CVE-2011-2704 CVE-2011-2975 MapServer (v6.0.1, v5.6.7 and v4.10.7): Multiple SQL injections and one (stack-based) buffer overflow flaw
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cristian.balint, devrim, jrusnack, oliver, pavel.lisy, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 17:50:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 722545, 723295    
Bug Blocks:    

Description Jan Lieskovsky 2011-07-19 16:13:49 UTC 
Multiple SQL injection flaws and one stack based buffer overflow flaw were found in MapServer:
[1] http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html

More from [1]:

MapServer developers have discovered flaws in the OGC filter support in 
MapServer. That code is used in support of WFS, WMS-SLD and SOS 
specifications.

All versions may be susceptible to SQL injection under certain 
circumstances. The extent of the vulnerability depends on the MapServer 
version, relational database and mapfile configuration being used. All 
users are ** strongly encouraged ** to upgrade to these latest releases.

The 5.6.7 and 4.10.7 releases also address one significant potentially 
exploitable buffer overflow (6.0 branch is not vulneralble).

References:
[1] http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html
[2] http://trac.osgeo.org/mapserver/ticket/3903
[3] https://bugzilla.redhat.com/show_bug.cgi?id=722545
[4] http://www.openwall.com/lists/oss-security/2011/07/19/11
    (CVE Request)

Relevant upstream patches:
[5]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_6.0.x.patch
     (for 6.0.x branch)
[6]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.6.x.patch
     (for 5.6.x branch)
[7]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.4.x.patch
     (for 5.4.x branch)
[8]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.2.x.patch
     (for 5.2.x branch)
[9]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.0.x.patch
     (for 5.0.x branch)
[10] http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_4.10.x.patch
     (for 4.10.x branch)
Comment 1 Jan Lieskovsky 2011-07-19 16:18:30 UTC 
The mapserver package updates for Fedora release of 14 and 15 have been already scheduled (mapserver-5.6.7-1.fc14, mapserver-5.6.7-1.fc15). Once they have passed the required level of testing, they will be pushed to Fedora -stable repository. See https://bugzilla.redhat.com/show_bug.cgi?id=722545 for further details.

--

This issue affects the version of the mapserver package, as present within EPEL-5 repository. Please schedule an update.

Note: Upon look at the patch, looks the proposed v4.10.x patch changes are
      already present in mapserver-4.10.5-1.el5 version, being currently
      available for EPEL-5. Though the buffer overflow fix is missing.
Comment 2 Jan Lieskovsky 2011-07-19 16:19:34 UTC 
Created mapserver tracking bugs for this issue

Affects: epel-5 [bug 723295]
Comment 3 Vincent Danen 2011-07-20 19:47:56 UTC 
The following CVE assignments were made:

CVE-2011-2703 mapserver SQL injection flaws
CVE-2011-2704 mapserver stack based buffer overflows
Comment 4 Vincent Danen 2011-08-02 16:36:57 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2975 to
the following vulnerability:

Name: CVE-2011-2975
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2975
Assigned: 20110801
Reference: http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html
Reference: http://trac.osgeo.org/mapserver/ticket/3939

Double free vulnerability in the msAddImageSymbol function in
mapsymbol.c in MapServer before 6.0.1 might allow remote attackers to
cause a denial of service (application crash) or have unspecified
other impact via crafted mapfile data.