MapServer 'maptemplate.c'远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189266 漏洞类型 缓冲区溢出
发布时间 2007-08-30 更新时间 2007-08-31
CVE编号 CVE-2007-4629 CNNVD-ID CNNVD-200708-497
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2007090002
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-497
|漏洞详情
MapServer是一个开源的开发环境,是基于CGI的通过万维网来传输动态GIS与图像的应用程序。MapServer的maptemplate.c文件中的processLine()函数还存在栈溢出漏洞。如果用户受骗打开的地图文件中层、组或元数据项的名称超过了5120字节的话,就可能触发这个溢出,导致拒绝服务或执行任意指令。
|漏洞EXP
There is a small possibility of buffer overflow in processLine() (maptemplate.c). To trigger it you'd need a mapfile with a layer name, group name or metadata entry name longer than 5120 chars which is probably larger than what the parser would accept, but we'll fix it just in case.


------------------
Version 4.10.3 (2007-08-22)

    * Fixed XSS vulnerabilities (#2256)
    * Fixed possible buffer overflow in template processing (#2252)
    * Rename libmap.a to libmapserver.a for commonality with libmapserver.so (#2150)
    * Fixed size of output buffer in msGetEncodedString() (#2132)
    * SOS : backport fixes related to large xml outputs (#1938, #2146)
    * WCS : Fixed resampling/reprojecting for tileindex datasets (#2180)

-----------------
|参考资料

来源:VUPEN
名称:ADV-2007-2974
链接:http://www.frsirt.com/english/advisories/2007/2974
来源:mapserver.gis.umn.edu
链接:http://mapserver.gis.umn.edu/download/current/HISTORY.TXT/
来源:trac.osgeo.org
链接:http://trac.osgeo.org/mapserver/ticket/2252
来源:FEDORA
名称:FEDORA-2007-2018
链接:https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00096.html
来源:MISC
链接:https://bugzilla.redhat.com/show_bug.cgi?id=272081
来源:BID
名称:25582
链接:http://www.securityfocus.com/bid/25582
来源:DEBIAN
名称:DSA-1539
链接:http://www.debian.org/security/2008/dsa-1539
来源:SREASON
名称:3082
链接:http://securityreason.com/securityalert/3082
来源:SECUNIA
名称:29688
链接:http://secunia.com/advisories/29688
来源:SECUNIA
名称:26718
链接:http://secunia.com/advisories/26718
来源:SECUNIA
名称:26561
链接:http://secunia.com/advisories/26561