Bug 723293 (CVE-2011-2703, CVE-2011-2704, CVE-2011-2975) - CVE-2011-2703 CVE-2011-2704 CVE-2011-2975 MapServer (v6.0.1, v5.6.7 and v4.10.7): Multiple SQL injections and one (stack-based) buffer overflow flaw
Summary: CVE-2011-2703 CVE-2011-2704 CVE-2011-2975 MapServer (v6.0.1, v5.6.7 and v4.10...
Alias: CVE-2011-2703, CVE-2011-2704, CVE-2011-2975
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 722545 723295
TreeView+ depends on / blocked
Reported: 2011-07-19 16:13 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-12-20 17:50:13 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-07-19 16:13:49 UTC
Multiple SQL injection flaws and one stack based buffer overflow flaw were found in MapServer:
[1] http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html

More from [1]:

MapServer developers have discovered flaws in the OGC filter support in 
MapServer. That code is used in support of WFS, WMS-SLD and SOS 

All versions may be susceptible to SQL injection under certain 
circumstances. The extent of the vulnerability depends on the MapServer 
version, relational database and mapfile configuration being used. All 
users are ** strongly encouraged ** to upgrade to these latest releases.

The 5.6.7 and 4.10.7 releases also address one significant potentially 
exploitable buffer overflow (6.0 branch is not vulneralble).

[1] http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html
[2] http://trac.osgeo.org/mapserver/ticket/3903
[3] https://bugzilla.redhat.com/show_bug.cgi?id=722545
[4] http://www.openwall.com/lists/oss-security/2011/07/19/11
    (CVE Request)

Relevant upstream patches:
[5]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_6.0.x.patch
     (for 6.0.x branch)
[6]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.6.x.patch
     (for 5.6.x branch)
[7]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.4.x.patch
     (for 5.4.x branch)
[8]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.2.x.patch
     (for 5.2.x branch)
[9]  http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.0.x.patch
     (for 5.0.x branch)
[10] http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_4.10.x.patch
     (for 4.10.x branch)

Comment 1 Jan Lieskovsky 2011-07-19 16:18:30 UTC
The mapserver package updates for Fedora release of 14 and 15 have been already scheduled (mapserver-5.6.7-1.fc14, mapserver-5.6.7-1.fc15). Once they have passed the required level of testing, they will be pushed to Fedora -stable repository. See https://bugzilla.redhat.com/show_bug.cgi?id=722545 for further details.


This issue affects the version of the mapserver package, as present within EPEL-5 repository. Please schedule an update.

Note: Upon look at the patch, looks the proposed v4.10.x patch changes are
      already present in mapserver-4.10.5-1.el5 version, being currently
      available for EPEL-5. Though the buffer overflow fix is missing.

Comment 2 Jan Lieskovsky 2011-07-19 16:19:34 UTC
Created mapserver tracking bugs for this issue

Affects: epel-5 [bug 723295]

Comment 3 Vincent Danen 2011-07-20 19:47:56 UTC
The following CVE assignments were made:

CVE-2011-2703 mapserver SQL injection flaws
CVE-2011-2704 mapserver stack based buffer overflows

Comment 4 Vincent Danen 2011-08-02 16:36:57 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2975 to
the following vulnerability:

Name: CVE-2011-2975
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2975
Assigned: 20110801
Reference: http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html
Reference: http://trac.osgeo.org/mapserver/ticket/3939

Double free vulnerability in the msAddImageSymbol function in
mapsymbol.c in MapServer before 6.0.1 might allow remote attackers to
cause a denial of service (application crash) or have unspecified
other impact via crafted mapfile data.

Note You need to log in before you can comment on or make changes to this bug.