Bug#394319: geoipupdate vulnerability

Fri, 20 Oct 2006 11:03:35 -0700 

Package: geoip
Version: 1.3.17-1

the patch below has been accepted into the upstream repository, and will 
appear next release... however it may be worth updating the debian package 
in the interim.

-dean

----- Original message -----
From: "dean gaudet"
Date: Mon, 4 Sep 2006 18:50:28 -0700 (PDT)
Subject: serious geoipupdate vulnerability

i'm looking at the GeoIP-1.4.0.tar.gz source ... and it does no sanity 
checking on the filename returned by "GET 
/app/update_getfilename?product_id=%s".

for example suppose your webserver were compromised and returned 
../../../../../../etc/passwd as the filename.

please consider something like the patch below...

-dean

Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c
===================================================================
--- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.c     2006-09-04
18:41:21.810722758 -0700
+++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c  2006-09-04 18:45:10.771752943
-0700
@@ -92,6 +92,8 @@
     return "Invalid userID";
   case GEOIP_PRODUCT_ID_INVALID_ERR:
     return "Invalid product ID or subscription expired";
+  case GEOIP_INVALID_SERVER_RESPONSE:
+    return "Server returned something unexpected";
   default:
     return "no error";
   }  
@@ -420,6 +422,10 @@
        buf[offset] = 0;
        offset = 0;
        tmpstr = strstr(buf, "\r\n\r\n") + 4;
+       if (tmpstr[0] == '.' || strchr(tmpstr, '/') != NULL) {
+               free(buf);
+               return GEOIP_INVALID_SERVER_RESPONSE;
+       }
        geoipfilename = _GeoIP_full_path_to(tmpstr);
        free(buf);
 
Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h
===================================================================
--- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.h     2006-09-04
18:43:41.265969814 -0700
+++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h  2006-09-04 18:43:56.475632408
-0700
@@ -43,7 +43,8 @@
        GEOIP_SANITY_LOOKUP_FAIL      = -22, /* Sanity check ip address lookup 
failed */
        GEOIP_RENAME_ERR              = -23, /* Rename error while installing 
db, check errno */
        GEOIP_USER_ID_INVALID_ERR     = -24, /* Invalid userID */
-       GEOIP_PRODUCT_ID_INVALID_ERR  = -25  /* Invalid product ID or
subscription expired */
+       GEOIP_PRODUCT_ID_INVALID_ERR  = -25, /* Invalid product ID or
subscription expired */
+       GEOIP_INVALID_SERVER_RESPONSE = -26
 } GeoIPUpdateCode;
 
 const char * GeoIP_get_error_message(int i);



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to