| Summary: | <dev-libs/libmaxminddb-1.1.2: Missing bounds checking and missing verification of data type | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Steffen Weber <steffen.weber> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | netmon |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/maxmind/libmaxminddb/releases/tag/1.1.2 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Steffen Weber
2015-11-18 10:27:12 UTC
All information is public, opening From ${URL}:
IMPORTANT: This release includes a number of important security fixes. Among these fixes is improved validation of the database metadata. Unfortunately, MaxMind GeoIP2 and GeoLite2 databases created earlier than January 28, 2014, had an invalid data type for the record_size in the metadata. Previously these databases worked on little endian machines with libmaxminddb but did not work on big endian machines. Due to increased safety checks when reading the file, these databases will no longer work on any platform. If you are using one of these databases, we recommend that you upgrade to the latest GeoLite2 or GeoIP2 database
Seems someone took a fuzzer to it, based on https://github.com/maxmind/libmaxminddb/commit/51255f113fe3c7b63ffe957636a7656a3ff9d1ff setting rating for DoS vector for now 1.1.1 has been removed. 1.1.2 is in the tree. No stable keywords. Thanks! no vulnerable versions in tree. |
