161288 – dev-libs/geoip arbitrary file overwrite (CVE-2007-0159)

Bug 161288 - dev-libs/geoip arbitrary file overwrite (CVE-2007-0159)

Summary: dev-libs/geoip arbitrary file overwrite (CVE-2007-0159)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-01-10 07:47 UTC by Executioner
Modified:	2007-02-10 18:50 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Executioner 2007-01-10 07:47:03 UTC

Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename.

 

Reproducible: Didn't try




http://frontal2.mandriva.com/security/advisories?name=MDKSA-2007:004
http://arctic.org/~dean/patches/GeoIP-1.4.0-update-vulnerability.patch

Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-14 19:45:30 UTC

Thansk for the report, please Cc directly the maintainer.

Patch: http://arctic.org/~dean/patches/GeoIP-1.4.0-update-vulnerability.patch

Comment 2 Markus Ullmann (RETIRED) gentoo-dev

2007-01-17 00:30:37 UTC

Committed to CVS, ready for stable

Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-17 22:32:36 UTC

Hi arches, please test and mark stable:
dev-libs/geoip-1.4.0-r1

Comment 4 Jason Wever (RETIRED) gentoo-dev

2007-01-17 23:43:03 UTC

Stable on SPARC.

Comment 5 Bryan Østergaard (RETIRED) gentoo-dev

2007-01-18 03:40:07 UTC

Alpha stable.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2007-01-18 08:00:10 UTC

Stable for HPPA.

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2007-01-18 08:03:54 UTC

x86 stable

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2007-01-18 09:00:06 UTC

ppc64 stable

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2007-01-18 21:03:05 UTC

ppc stable

Comment 10 Alexander Færøy 2007-01-19 18:57:28 UTC

Stable on IA64.

Comment 11 Steve Dibb (RETIRED) gentoo-dev

2007-01-23 10:57:45 UTC

amd64 stable

Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev

2007-01-24 20:08:58 UTC

voting time...

Comment 13 Vic Fryzel (shellsage) (RETIRED) gentoo-dev

2007-01-27 21:32:45 UTC

I vote yes, just running the server seems to make a whole system vulnerable.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-01-27 22:50:15 UTC

I tend to vote NO.

Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-10 18:50:09 UTC

no and closing, feel free to reopen if you disagree