Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-1914-1 mapserver -- several vulnerabilities

Related Vulnerabilities: CVE-2009-0843   CVE-2009-0842   CVE-2009-0841   CVE-2009-0840   CVE-2009-0839   CVE-2009-2281  

Several vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0843 Missing input validation on a user supplied map queryfile name can be used by an attacker to check for the existence of a specific file by using the queryfile GET parameter and checking for differences in error messages. CVE-2009-0842 A lack of file type verification when parsing a map file can lead to partial disclosure of content from arbitrary files through parser error messages. CVE-2009-0841 Due to missing input validation when saving map files under certain conditions it is possible to perform directory traversal attacks and to create arbitrary files. NOTE: Unless the attacker is able to create directories in the image path or there is already a readable directory this doesn't affect installations on Linux as the fopen() syscall will fail in case a sub path is not readable. CVE-2009-0839 It was discovered that mapserver is vulnerable to a stack-based buffer overflow when processing certain GET parameters. An attacker can use this to execute arbitrary code on the server via crafted id parameters. CVE-2009-0840 An integer overflow leading to a heap-based buffer overflow when processing the Content-Length header of an HTTP request can be used by an attacker to execute arbitrary code via crafted POST requests containing negative Content-Length values. CVE-2009-2281 An integer overflow when processing HTTP requests can lead to a heap-based buffer overflow. An attacker can use this to execute arbitrary code either via crafted Content-Length values or large HTTP request. This is partly because of an incomplete fix for CVE-2009-0840. For the oldstable distribution (etch), this problem has been fixed in version 4.10.0-5.1+etch4. For the stable distribution (lenny), this problem has been fixed in version 5.0.3-3+lenny4. For the testing distribution (squeeze), this problem has been fixed in version 5.4.2-1. For the unstable distribution (sid), this problem has been fixed in version 5.4.2-1. We recommend that you upgrade your mapserver packages.

Source

Debian Security Advisory

DSA-1914-1 mapserver -- several vulnerabilities

Date Reported:
22 Oct 2009
Affected Packages:
mapserver
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2009-0843, CVE-2009-0842, CVE-2009-0841, CVE-2009-0840, CVE-2009-0839, CVE-2009-2281.
More information:

Several vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2009-0843

    Missing input validation on a user supplied map queryfile name can be used by an attacker to check for the existence of a specific file by using the queryfile GET parameter and checking for differences in error messages.

  • CVE-2009-0842

    A lack of file type verification when parsing a map file can lead to partial disclosure of content from arbitrary files through parser error messages.

  • CVE-2009-0841

    Due to missing input validation when saving map files under certain conditions it is possible to perform directory traversal attacks and to create arbitrary files. NOTE: Unless the attacker is able to create directories in the image path or there is already a readable directory this doesn't affect installations on Linux as the fopen() syscall will fail in case a sub path is not readable.

  • CVE-2009-0839

    It was discovered that mapserver is vulnerable to a stack-based buffer overflow when processing certain GET parameters. An attacker can use this to execute arbitrary code on the server via crafted id parameters.

  • CVE-2009-0840

    An integer overflow leading to a heap-based buffer overflow when processing the Content-Length header of an HTTP request can be used by an attacker to execute arbitrary code via crafted POST requests containing negative Content-Length values.

  • CVE-2009-2281

    An integer overflow when processing HTTP requests can lead to a heap-based buffer overflow. An attacker can use this to execute arbitrary code either via crafted Content-Length values or large HTTP request. This is partly because of an incomplete fix for CVE-2009-0840.

For the oldstable distribution (etch), this problem has been fixed in version 4.10.0-5.1+etch4.

For the stable distribution (lenny), this problem has been fixed in version 5.0.3-3+lenny4.

For the testing distribution (squeeze), this problem has been fixed in version 5.4.2-1.

For the unstable distribution (sid), this problem has been fixed in version 5.4.2-1.

We recommend that you upgrade your mapserver packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/m/mapserver/mapserver_4.10.0-5.1+etch4.dsc
http://security.debian.org/pool/updates/main/m/mapserver/mapserver_4.10.0.orig.tar.gz
http://security.debian.org/pool/updates/main/m/mapserver/mapserver_4.10.0-5.1+etch4.diff.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc_4.10.0-5.1+etch4_all.deb
Alpha:
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_ia64.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_s390.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_s390.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_s390.deb
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_s390.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_s390.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch4_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/m/mapserver/mapserver_5.0.3.orig.tar.gz
http://security.debian.org/pool/updates/main/m/mapserver/mapserver_5.0.3-3+lenny4.dsc
http://security.debian.org/pool/updates/main/m/mapserver/mapserver_5.0.3-3+lenny4.diff.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby_5.0.3-3+lenny4_all.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc_5.0.3-3+lenny4_all.deb
Alpha:
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_alpha.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_arm.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_armel.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_armel.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_armel.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_armel.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_armel.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_armel.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_armel.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_i386.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_ia64.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_mips.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_mips.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_mips.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_mips.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_mips.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_mips.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_mipsel.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_powerpc.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.8_5.0.3-3+lenny4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_5.0.3-3+lenny4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/libmapscript-ruby1.9_5.0.3-3+lenny4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_5.0.3-3+lenny4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_5.0.3-3+lenny4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_5.0.3-3+lenny4_sparc.deb
http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_5.0.3-3+lenny4_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started