from:"Nico Golde"

[DebianGIS-dev] Bug#523027: mapserver: multiple vulnerabilities

2009-07-01 Thread Nico Golde

Hi,
as the incomplete fix got a new CVE id I closed this bug and 
opened a new one for the incomplete fix.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpzdNtoWbl1r.pgp
Description: PGP signature
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] Bug#535340: mapserver: heap-based buffer overflow because due to integer overflow in content-length handling

2009-07-01 Thread Nico Golde

Package: mapserver
Severity: grave
Tags: security
Justification: user security hole

Hi,
As described in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027#14
the fix for CVE-2009-0840 was not correct. A new CVE id got assigned to this:
CVE-2009-2281. Please reference it in the changelog if you fix this bug.

Cheers
Nico



___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)

2009-07-01 Thread Nico Golde

Hi,
* Steven M. Christey co...@linus.mitre.org [2009-07-01 13:43]:
 On Mon, 22 Jun 2009, Nico Golde wrote:
 
  I'm not sure if this should get a new CVE id but the versions in the CVE id
  description should be adjusted and the upstream patch revised.
 
 This looks like even though there was a source code modification, the
 previous issue was not fixed at all.  That is, any attack that would have
 worked before the fix, will still work after the fix.
 
 However, Fedora FEDORA-2009-3383 at least claims a fix for CVE-2009-0840,
 so a new CVE is probably in order to signal to admins that they have
 another issue to handle.
 
 Use CVE-2009-2281 for the new issue.  What versions are affected by
 this?

Should be every currently available release, I'm currently 
working with upstream on a better fix.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgp578npxfHrT.pgp
Description: PGP signature
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] Bug#523027: incorrect upstream fix for CVE-2009-0840 (mapserver)

2009-06-22 Thread Nico Golde

Hi,
from the CVE description:
| Heap-based buffer underflow in the readPostBody function in cgiutil.c in
| mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote
| attackers to have an unknown impact via a negative value in the Content-Length
| HTTP header.

The affected code is in cgiutil.c:
41 static char *readPostBody( cgiRequestObj *request ) 
42 {
43   char *data; 
44   int data_max, data_len, chunk_size;
45 
46   msIO_needBinaryStdin();
47 
48   /*  */
49   /*  If the length is provided, read in one gulp.*/
50   /*  */
51   if( getenv(CONTENT_LENGTH) != NULL ) {
52 data_max = atoi(getenv(CONTENT_LENGTH));
53 data = (char *) malloc(data_max+1);
54 if( data == NULL ) {
55   msIO_printf(Content-type: text/html%c%c,10,10);
56   msIO_printf(malloc() failed, Content-Length: %d unreasonably 
large?\n, data_max );
57   exit( 1 );
58 }
59 
60 if( (int) msIO_fread(data, 1, data_max, stdin)  data_max ) {

There is obviously a problem in case the content-length is negative.
The following is the upstream patch which was used to fix this issue:
 static char *readPostBody( cgiRequestObj *request ) 
 {
   char *data; 
-  int data_max, data_len, chunk_size;
+  unsigned int data_max, data_len; 
+  int chunk_size;


Unfortunately this doesn't fix the issue and I wonder why people always think
changing signed types to unsigned will fix such errors.
If I pass 0x as the content-length according to type conversion rules
in C atoi() will convert this to -1 which is again converted to 0x when
assigning it to an unsigned int. data_max+1 in line 53 will then overflow and
malloc is called with a parameter of 0. This causes malloc to allocated the 
smallest
possible chunk but it will _not_ return NULL (well, implementation defined). So 
it
is still possible to perform a heap-based buffer overflow after the upstream
fix.

I'm not sure if this should get a new CVE id but the versions in the CVE id
description should be adjusted and the upstream patch revised.

Cheers
Nico
P.S. @Alan, this is also the reason I have to reject your packages in our
security queue again.



-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpPx4SxvuRUS.pgp
Description: PGP signature
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)

2009-06-22 Thread Nico Golde

Hi,
* Nico Golde oss-security...@ngolde.de [2009-06-22 15:45]:
[...] 
 Unfortunately this doesn't fix the issue and I wonder why people always think
 changing signed types to unsigned will fix such errors.
 If I pass 0x as the content-length according to type conversion rules
 in C atoi() will convert this to -1 which is again converted to 0x when
0x^^
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpHsL354yfxo.pgp
Description: PGP signature
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] gpsdrive stable update for #496436

2008-10-04 Thread Nico Golde

Hi,
an insecure temporary file creation was reported to the gpsdrive some time ago.
This is Debian bug #496436.

Unfortunately the vulnerability is not important enough to get it fixed via
regular security update in Debian stable. It does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[0].
Please contact the release team for this.

This is an automatically generated mail, in case you are already working on an
upgrade this is of course pointless.

For further information:
[0] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpAnCZ4S6Dqd.pgp
Description: PGP signature
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] Bug#523027: mapserver: multiple vulnerabilities

[DebianGIS-dev] Bug#535340: mapserver: heap-based buffer overflow because due to integer overflow in content-length handling

[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)

[DebianGIS-dev] Bug#523027: incorrect upstream fix for CVE-2009-0840 (mapserver)

[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)

[DebianGIS-dev] gpsdrive stable update for #496436

6 matches

Site Navigation

Mail list logo

Footer information