diff options
| author |   Markus Ullmann <jokey@gentoo.org> | 2007-01-17 00:29:31 +0000 |
|---|---|---|
| committer | Markus Ullmann <jokey@gentoo.org> | 2007-01-17 00:29:31 +0000 |
| commit | 47bbe075eded72c4bbee32c708d9620663b43538 (patch) | |
| tree | 617a9c374f87ace37854bc62b8b84132f5a43cc1 /dev-libs/geoip | |
| parent | Fix sed expression. (bug #160328) (diff) | |
| download | historical-47bbe075eded72c4bbee32c708d9620663b43538.tar.gz historical-47bbe075eded72c4bbee32c708d9620663b43538.tar.bz2 historical-47bbe075eded72c4bbee32c708d9620663b43538.zip | |
Adding vuln fix wrt bug #161288
Package-Manager: portage-2.1.2_rc4-r8
Diffstat (limited to 'dev-libs/geoip')
| -rw-r--r-- | dev-libs/geoip/ChangeLog | 11 | ||||
| -rw-r--r-- | dev-libs/geoip/files/digest-geoip-1.4.0-r1 | 3 | ||||
| -rw-r--r-- | dev-libs/geoip/files/geoip-1.4.0-update-vulnerability.patch | 57 | ||||
| -rw-r--r-- | dev-libs/geoip/geoip-1.4.0-r1.ebuild | 40 |
4 files changed, 109 insertions, 2 deletions
diff --git a/dev-libs/geoip/ChangeLog b/dev-libs/geoip/ChangeLog index 9dec943ada6a..2ab46e4076aa 100644 --- a/dev-libs/geoip/ChangeLog +++ b/dev-libs/geoip/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for dev-libs/geoip -# Copyright 2000-2006 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/geoip/ChangeLog,v 1.58 2006/10/20 00:18:45 kloeri Exp $ +# Copyright 2000-2007 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/geoip/ChangeLog,v 1.59 2007/01/17 00:29:31 jokey Exp $ + +*geoip-1.4.0-r1 (17 Jan 2007) + + 17 Jan 2007; Markus Ullmann <jokey@gentoo.org> + +files/geoip-1.4.0-update-vulnerability.patch, -geoip-1.3.12.ebuild, + -geoip-1.3.17.ebuild, -geoip-1.4.0.ebuild, +geoip-1.4.0-r1.ebuild: + Adding vuln fix wrt bug #161288 20 Oct 2006; Bryan Ăstergaard <kloeri@gentoo.org> geoip-1.3.14.ebuild: Stable on Alpha. diff --git a/dev-libs/geoip/files/digest-geoip-1.4.0-r1 b/dev-libs/geoip/files/digest-geoip-1.4.0-r1 new file mode 100644 index 000000000000..f72b725309f3 --- /dev/null +++ b/dev-libs/geoip/files/digest-geoip-1.4.0-r1 @@ -0,0 +1,3 @@ +MD5 da09a3d9a1a91e3d16c0a29e6b056c15 GeoIP-1.4.0.tar.gz 808314 +RMD160 54779bae497d6032a35c1c1de8c97461db9b7075 GeoIP-1.4.0.tar.gz 808314 +SHA256 166782a73f6552a5faea525193a62d273abd8d43556ab88a09efedb597fd6be9 GeoIP-1.4.0.tar.gz 808314 diff --git a/dev-libs/geoip/files/geoip-1.4.0-update-vulnerability.patch b/dev-libs/geoip/files/geoip-1.4.0-update-vulnerability.patch new file mode 100644 index 000000000000..d2a2c9dea8dc --- /dev/null +++ b/dev-libs/geoip/files/geoip-1.4.0-update-vulnerability.patch @@ -0,0 +1,57 @@ +From dean-maxmind.com@arctic.org Mon Sep 4 18:50:28 2006 +Date: Mon, 4 Sep 2006 18:50:28 -0700 (PDT) +From: dean gaudet <dean-maxmind.com@arctic.org> +To: support@maxmind.com +Subject: serious geoipupdate vulnerability + +i'm looking at the GeoIP-1.4.0.tar.gz source ... and it does no sanity +checking on the filename returned by "GET +/app/update_getfilename?product_id=%s". + +for example suppose your webserver were compromised and returned +../../../../../../etc/passwd as the filename. + +please consider something like the patch below... + +-dean + +Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c +=================================================================== +--- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.c 2006-09-04 18:41:21.810722758 -0700 ++++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c 2006-09-04 18:45:10.771752943 -0700 +@@ -92,6 +92,8 @@ + return "Invalid userID"; + case GEOIP_PRODUCT_ID_INVALID_ERR: + return "Invalid product ID or subscription expired"; ++ case GEOIP_INVALID_SERVER_RESPONSE: ++ return "Server returned something unexpected"; + default: + return "no error"; + } +@@ -420,6 +422,10 @@ + buf[offset] = 0; + offset = 0; + tmpstr = strstr(buf, "\r\n\r\n") + 4; ++ if (tmpstr[0] == '.' || strchr(tmpstr, '/') != NULL) { ++ free(buf); ++ return GEOIP_INVALID_SERVER_RESPONSE; ++ } + geoipfilename = _GeoIP_full_path_to(tmpstr); + free(buf); + +Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h +=================================================================== +--- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.h 2006-09-04 18:43:41.265969814 -0700 ++++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h 2006-09-04 18:43:56.475632408 -0700 +@@ -43,7 +43,8 @@ + GEOIP_SANITY_LOOKUP_FAIL = -22, /* Sanity check ip address lookup failed */ + GEOIP_RENAME_ERR = -23, /* Rename error while installing db, check errno */ + GEOIP_USER_ID_INVALID_ERR = -24, /* Invalid userID */ +- GEOIP_PRODUCT_ID_INVALID_ERR = -25 /* Invalid product ID or subscription expired */ ++ GEOIP_PRODUCT_ID_INVALID_ERR = -25, /* Invalid product ID or subscription expired */ ++ GEOIP_INVALID_SERVER_RESPONSE = -26 + } GeoIPUpdateCode; + + const char * GeoIP_get_error_message(int i); + + diff --git a/dev-libs/geoip/geoip-1.4.0-r1.ebuild b/dev-libs/geoip/geoip-1.4.0-r1.ebuild new file mode 100644 index 000000000000..d2e49b42fadd --- /dev/null +++ b/dev-libs/geoip/geoip-1.4.0-r1.ebuild @@ -0,0 +1,40 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/geoip/geoip-1.4.0-r1.ebuild,v 1.1 2007/01/17 00:29:31 jokey Exp $ + +inherit autotools eutils libtool + +MY_P="${P/geoip/GeoIP}" +DESCRIPTION="easily lookup countries by IP addresses, even when Reverse DNS entries don't exist" +HOMEPAGE="http://www.maxmind.com/geoip/api/c.shtml" +SRC_URI="http://www.maxmind.com/download/geoip/api/c/${MY_P}.tar.gz" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" +IUSE="" + +DEPEND="" +RDEPEND="" + +S="${WORKDIR}/${MY_P}" + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}/${P}-asneeded.patch" + epatch "${FILESDIR}/${P}-update-vulnerability.patch" + eautomake + + elibtoolize +} + +src_compile() { + econf --enable-shared || die "econf failed" + emake || die "emake failed" +} + +src_install() { + emake DESTDIR="${D}" install || die "einstall failed" +} |