[DebianGIS-dev] Bug#523027: mapserver: multiple vulnerabilities
Hi, as the incomplete fix got a new CVE id I closed this bug and opened a new one for the incomplete fix. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpzdNtoWbl1r.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#535340: mapserver: heap-based buffer overflow because due to integer overflow in content-length handling
Package: mapserver Severity: grave Tags: security Justification: user security hole Hi, As described in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027#14 the fix for CVE-2009-0840 was not correct. A new CVE id got assigned to this: CVE-2009-2281. Please reference it in the changelog if you fix this bug. Cheers Nico ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)
Hi, * Steven M. Christey co...@linus.mitre.org [2009-07-01 13:43]: On Mon, 22 Jun 2009, Nico Golde wrote: I'm not sure if this should get a new CVE id but the versions in the CVE id description should be adjusted and the upstream patch revised. This looks like even though there was a source code modification, the previous issue was not fixed at all. That is, any attack that would have worked before the fix, will still work after the fix. However, Fedora FEDORA-2009-3383 at least claims a fix for CVE-2009-0840, so a new CVE is probably in order to signal to admins that they have another issue to handle. Use CVE-2009-2281 for the new issue. What versions are affected by this? Should be every currently available release, I'm currently working with upstream on a better fix. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgp578npxfHrT.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: incorrect upstream fix for CVE-2009-0840 (mapserver)
Hi, from the CVE description: | Heap-based buffer underflow in the readPostBody function in cgiutil.c in | mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote | attackers to have an unknown impact via a negative value in the Content-Length | HTTP header. The affected code is in cgiutil.c: 41 static char *readPostBody( cgiRequestObj *request ) 42 { 43 char *data; 44 int data_max, data_len, chunk_size; 45 46 msIO_needBinaryStdin(); 47 48 /* */ 49 /* If the length is provided, read in one gulp.*/ 50 /* */ 51 if( getenv(CONTENT_LENGTH) != NULL ) { 52 data_max = atoi(getenv(CONTENT_LENGTH)); 53 data = (char *) malloc(data_max+1); 54 if( data == NULL ) { 55 msIO_printf(Content-type: text/html%c%c,10,10); 56 msIO_printf(malloc() failed, Content-Length: %d unreasonably large?\n, data_max ); 57 exit( 1 ); 58 } 59 60 if( (int) msIO_fread(data, 1, data_max, stdin) data_max ) { There is obviously a problem in case the content-length is negative. The following is the upstream patch which was used to fix this issue: static char *readPostBody( cgiRequestObj *request ) { char *data; - int data_max, data_len, chunk_size; + unsigned int data_max, data_len; + int chunk_size; Unfortunately this doesn't fix the issue and I wonder why people always think changing signed types to unsigned will fix such errors. If I pass 0x as the content-length according to type conversion rules in C atoi() will convert this to -1 which is again converted to 0x when assigning it to an unsigned int. data_max+1 in line 53 will then overflow and malloc is called with a parameter of 0. This causes malloc to allocated the smallest possible chunk but it will _not_ return NULL (well, implementation defined). So it is still possible to perform a heap-based buffer overflow after the upstream fix. I'm not sure if this should get a new CVE id but the versions in the CVE id description should be adjusted and the upstream patch revised. Cheers Nico P.S. @Alan, this is also the reason I have to reject your packages in our security queue again. -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpPx4SxvuRUS.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)
Hi, * Nico Golde oss-security...@ngolde.de [2009-06-22 15:45]: [...] Unfortunately this doesn't fix the issue and I wonder why people always think changing signed types to unsigned will fix such errors. If I pass 0x as the content-length according to type conversion rules in C atoi() will convert this to -1 which is again converted to 0x when 0x^^ -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpHsL354yfxo.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] gpsdrive stable update for #496436
Hi, an insecure temporary file creation was reported to the gpsdrive some time ago. This is Debian bug #496436. Unfortunately the vulnerability is not important enough to get it fixed via regular security update in Debian stable. It does not warrant a DSA. However it would be nice if this could get fixed via a regular point update[0]. Please contact the release team for this. This is an automatically generated mail, in case you are already working on an upgrade this is of course pointless. For further information: [0] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpAnCZ4S6Dqd.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel