Possible SQL injection in WFS

Thanks for the debdiffs. Is this issue public now?
Does this issue have a CVE number?

The changes are extensive, what kind of testing did you perform on the debdiffs?

Thanks.

Hi,

Not sure if/when the guy from debian security will send me the CVE id. The
issue is still private for the moment.

The tests have been performed by our devs for all DB driver and different type
of requests.

Alan

On July 12, 2011 01:49:01 pm Marc Deslauriers wrote:
> Thanks for the debdiffs. Is this issue public now?
> Does this issue have a CVE number?
>
> The changes are extensive, what kind of testing did you perform on the
> debdiffs?
>
> Thanks.

--
Alan Boudreault
Mapgears
http://www.mapgears.com

Reference:

http://trac.osgeo.org/mapserver/changeset/11897 (4.10)
http://trac.osgeo.org/mapserver/changeset/11894 (5.0)
http://trac.osgeo.org/mapserver/changeset/11893 (5.2)
http://trac.osgeo.org/mapserver/changeset/11892 (5.4)
http://trac.osgeo.org/mapserver/changeset/11891 (5.6)
http://trac.osgeo.org/mapserver/changeset/11890 (6.0)
http://trac.osgeo.org/mapserver/changeset/11898 (trunk)

Could you please let us know once this issue is public and we can release the updates?

Thanks!

The issue is public now. We released software updates last week.

Alan

On July 18, 2011 09:38:50 am Marc Deslauriers wrote:
> Reference:
>
> http://trac.osgeo.org/mapserver/changeset/11897 (4.10)
> http://trac.osgeo.org/mapserver/changeset/11894 (5.0)
> http://trac.osgeo.org/mapserver/changeset/11893 (5.2)
> http://trac.osgeo.org/mapserver/changeset/11892 (5.4)
> http://trac.osgeo.org/mapserver/changeset/11891 (5.6)
> http://trac.osgeo.org/mapserver/changeset/11890 (6.0)
> http://trac.osgeo.org/mapserver/changeset/11898 (trunk)
>
> Could you please let us know once this issue is public and we can
> release the updates?
>
> Thanks!

--
Alan Boudreault
Mapgears
http://www.mapgears.com

Hi Alan,

I noticed a minor thing while reviewing these patches. The patches add a new compilation warning (example from the 5.0.0-3ubuntu0.3 build):

  mapogr.cpp: In function 'char* msOGREscapeSQLParam(layerObj*, const char*)':
  mapogr.cpp:2406: warning: control reaches end of non-void function

which looks to be a correct warning; if USE_OGR is defined and the if condition in msOGREscapeSQLParam() does not evaluate to true, then nothing is returned (which, if IIRC the gcc calling conventions correctly, means that layer will be sitting in the returned value spot). It seems to me that the "return pszEscapedStr ;" needs to move outside of the if statement. However, I've not verified that a returned NULL value is handled correctly by all the potential callers of msOGREscapeSQLParam().

(The comment header for msOGREscapePropertyName() also mistakenly refers to msOGREscapeSQLParam. Note that it does not suffer from the same lack of return value because the "return pszEscapedStr;" is placed correctly.)

It seems the patches that were attached were not the latest ones, as they're missing the PostGIS fixes mentioned in http://trac.osgeo.org/mapserver/ticket/3903 (also, the upstream final versions attached to that bug are all in reverse patch format).

I'll fix up the patches you provided and push them out. Thanks!

Hi Steve, I am aware of the postfix change.. but it was not critical.. since that even without that change things would work and be safe... the generic function would have been used. Not sure if the mapogr similar issue is suppose to roll back on the generic method too...

Thanks for fixing it!

Is it too late to add a small other patch for those packages? If no, can I simply add a .patch file?

Nvm, we decided that the minor fix will be in another release. thanks

This bug was fixed in the package mapserver - 5.6.5-2ubuntu0.1

---------------
mapserver (5.6.5-2ubuntu0.1) natty-security; urgency=low

  * SECURITY UPDATE: SQL Injection and buffer overflows (LP: #809133)
    - debian/patches/09_wfs_sql_injection.dpatch: Fix possible WFS
      SQL injection and buffer overflows in OGC Filter Encoding
      support. [http://trac.osgeo.org/mapserver/ticket/3874]
      [http://trac.osgeo.org/mapserver/ticket/3903]
    - CVE-2011-2703, CVE-2011-2704
 -- Alan Boudreault <email address hidden> Tue, 12 Jul 2011 01:48:39 -0400

Oneiric is still affected.

Unsubscribing ubuntu-security-sponsors for now since there is nothing to do.

Will somebody be providing a debdiff for Oneiric? AFAICT, this is not fixed in 5.6.6-2 in Debian.

I'm just going to apply the natty patch which applies cleanly with only line differences. Please advise if this is in error.

This bug was fixed in the package mapserver - 5.6.6-1.1ubuntu1

---------------
mapserver (5.6.6-1.1ubuntu1) oneiric; urgency=low

  * SECURITY UPDATE: SQL Injection and buffer overflows (LP: #809133)
    - debian/patches/wfs_sql_injection.dpatch: Fix possible WFS SQL injection
      and buffer overflows in OGC Filter Encoding support. Patch from Natty
      refreshed for Oneiric.
    - http://trac.osgeo.org/mapserver/ticket/3874
    - http://trac.osgeo.org/mapserver/ticket/3903]
    - CVE-2011-2703, CVE-2011-2704
 -- Jamie Strandboge <email address hidden> Fri, 09 Sep 2011 09:46:09 -0500