Bug 723293 - (CVE-2011-2703, CVE-2011-2704, CVE-2011-2975) CVE-2011-2703 CVE-2011-2704 CVE-2011-2975 MapServer (v6.0.1, v5.6.7 and v4.10.7): Multiple SQL injections and one (stack-based) buffer overflow flaw
CVE-2011-2703 CVE-2011-2704 CVE-2011-2975 MapServer (v6.0.1, v5.6.7 and v4.10...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110713,reported=20110719,sou...
: Security
Depends On: 722545 723295
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-19 12:13 EDT by Jan Lieskovsky
Modified: 2016-01-26 07:29 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 12:50:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-07-19 12:13:49 EDT
Multiple SQL injection flaws and one stack based buffer overflow flaw were found in MapServer:
[1] http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html

More from [1]:

MapServer developers have discovered flaws in the OGC filter support in 
MapServer. That code is used in support of WFS, WMS-SLD and SOS 
specifications.

All versions may be susceptible to SQL injection under certain 
circumstances. The extent of the vulnerability depends on the MapServer 
version, relational database and mapfile configuration being used. All 
users are ** strongly encouraged ** to upgrade to these latest releases.

The 5.6.7 and 4.10.7 releases also address one significant potentially 
exploitable buffer overflow (6.0 branch is not vulneralble).

References:
[1] http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html
[2] http://trac.osgeo.org/mapserver/ticket/3903
[3] https://bugzilla.redhat.com/show_bug.cgi?id=722545
[4] http://www.openwall.com/lists/oss-security/2011/07/19/11
    (CVE Request)

Relevant upstream patches:
[5]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_6.0.x.patch
     (for 6.0.x branch)
[6]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.6.x.patch
     (for 5.6.x branch)
[7]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.4.x.patch
     (for 5.4.x branch)
[8]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.2.x.patch
     (for 5.2.x branch)
[9]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.0.x.patch
     (for 5.0.x branch)
[10] http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_4.10.x.patch
     (for 4.10.x branch)
Comment 1 Jan Lieskovsky 2011-07-19 12:18:30 EDT
The mapserver package updates for Fedora release of 14 and 15 have been already scheduled (mapserver-5.6.7-1.fc14, mapserver-5.6.7-1.fc15). Once they have passed the required level of testing, they will be pushed to Fedora -stable repository. See https://bugzilla.redhat.com/show_bug.cgi?id=722545 for further details.

--

This issue affects the version of the mapserver package, as present within EPEL-5 repository. Please schedule an update.

Note: Upon look at the patch, looks the proposed v4.10.x patch changes are
      already present in mapserver-4.10.5-1.el5 version, being currently
      available for EPEL-5. Though the buffer overflow fix is missing.
Comment 2 Jan Lieskovsky 2011-07-19 12:19:34 EDT
Created mapserver tracking bugs for this issue

Affects: epel-5 [bug 723295]
Comment 3 Vincent Danen 2011-07-20 15:47:56 EDT
The following CVE assignments were made:

CVE-2011-2703 mapserver SQL injection flaws
CVE-2011-2704 mapserver stack based buffer overflows
Comment 4 Vincent Danen 2011-08-02 12:36:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2975 to
the following vulnerability:

Name: CVE-2011-2975
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2975
Assigned: 20110801
Reference: http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html
Reference: http://trac.osgeo.org/mapserver/ticket/3939

Double free vulnerability in the msAddImageSymbol function in
mapsymbol.c in MapServer before 6.0.1 might allow remote attackers to
cause a denial of service (application crash) or have unspecified
other impact via crafted mapfile data.

Note You need to log in before you can comment on or make changes to this bug.