This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 493364 - (CVE-2009-0839, CVE-2009-0840, CVE-2009-0841, CVE-2009-0842, CVE-2009-0843, CVE-2009-1176, CVE-2009-1177) mapserver: multiple security fixes in 5.2.2 and 4.10.4 (CVE-2009-0839, CVE-2009-0840, CVE-2009-0841, CVE-2009-0842, CVE-2009-0843, CVE-2009-1176, CVE-2009-1177)
mapserver: multiple security fixes in 5.2.2 and 4.10.4 (CVE-2009-0839, CVE-20...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-01 11:02 EDT by Tomas Hoger
Modified: 2010-03-29 05:18 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 05:18:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-04-01 11:02:45 EDT
New upstream mapserver versions 5.2.2 and 4.10.4 have been released:

  http://lists.osgeo.org/pipermail/mapserver-users/2009-March/060600.html

to address multiple security issues found during the security audit of the mapserver's code.  Details about issues fixed:

  http://www.securityfocus.com/archive/1/archive/1/502271/100/0/threaded
  http://www.positronsecurity.com/advisories/2009-000.html

CVE assigned to the issues:

CVE-2009-0839:
Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x
before 4.10.4 and 5.x before 5.2.2, when the server has a map with a
long IMAGEPATH or NAME attribute, allows remote attackers to execute
arbitrary code via a crafted id parameter in a query action.
http://trac.osgeo.org/mapserver/ticket/2944

(Fedora packages are built with FORTIFY_SOURCE, which should catch this problem and reduce impact to non-exploitable crash.)

CVE-2009-0840:
Heap-based buffer underflow in the readPostBody function in cgiutil.c
in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows
remote attackers to have an unknown impact via a negative value in the
Content-Length HTTP header. 
http://trac.osgeo.org/mapserver/ticket/2943

(Original advisory mentions it should not be possible to trigger this when using httpd 2.2.x at least.)

CVE-2009-0841:
Directory traversal vulnerability in mapserv.c in mapserv in MapServer
4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with
Cygwin, allows remote attackers to create arbitrary files via a ..
(dot dot) in the id parameter.
http://trac.osgeo.org/mapserver/ticket/2942

(See advisory for more details about conditions when this might be exploitable on non-Windows systems.)

CVE-2009-0842:
mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows
remote attackers to read arbitrary invalid .map files via a full
pathname in the map parameter, which triggers the display of partial
file contents within an error message, as demonstrated by a
/tmp/sekrut.map symlink. 
http://trac.osgeo.org/mapserver/ticket/2941 

CVE-2009-0843:
The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and
5.x before 5.2.2 allows remote attackers to determine the existence of
arbitrary files via a full pathname in the queryfile parameter, which
triggers different error messages depending on whether this pathname
exists. 
http://trac.osgeo.org/mapserver/ticket/2939

CVE-2009-1176:
mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before
5.2.2 does not ensure that the string holding the id parameter ends in
a '\0' character, which allows remote attackers to conduct
buffer-overflow attacks or have unspecified other impact via a long id
parameter in a query action.

(Related to CVE-2009-0839, see advisory for details.)

CVE-2009-1177:
Multiple stack-based buffer overflows in maptemplate.c in mapserv in
MapServer 4.x before 4.10.4 and 5.x before 5.2.2 have unknown impact
and remote attack vectors. 
http://trac.osgeo.org/mapserver/ticket/2944
Comment 1 Fedora Update System 2009-04-04 19:57:24 EDT
mapserver-5.2.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mapserver-5.2.2-1.fc9
Comment 2 Fedora Update System 2009-04-04 19:58:15 EDT
mapserver-5.2.2-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mapserver-5.2.2-1.fc10
Comment 3 Fedora Update System 2009-04-06 16:31:06 EDT
mapserver-5.2.2-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2009-04-06 16:32:57 EDT
mapserver-5.2.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.