# ChangeLog for dev-libs/geoip
-# Copyright 2000-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/geoip/ChangeLog,v 1.58 2006/10/20 00:18:45 kloeri Exp $
+# Copyright 2000-2007 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/geoip/ChangeLog,v 1.59 2007/01/17 00:29:31 jokey Exp $
+
+*geoip-1.4.0-r1 (17 Jan 2007)
+
+ 17 Jan 2007; Markus Ullmann <jokey@gentoo.org>
+ +files/geoip-1.4.0-update-vulnerability.patch, -geoip-1.3.12.ebuild,
+ -geoip-1.3.17.ebuild, -geoip-1.4.0.ebuild, +geoip-1.4.0-r1.ebuild:
+ Adding vuln fix wrt bug #161288
20 Oct 2006; Bryan Østergaard <kloeri@gentoo.org> geoip-1.3.14.ebuild:
Stable on Alpha.
--- /dev/null
+From dean-maxmind.com@arctic.org Mon Sep 4 18:50:28 2006
+Date: Mon, 4 Sep 2006 18:50:28 -0700 (PDT)
+From: dean gaudet <dean-maxmind.com@arctic.org>
+To: support@maxmind.com
+Subject: serious geoipupdate vulnerability
+
+i'm looking at the GeoIP-1.4.0.tar.gz source ... and it does no sanity
+checking on the filename returned by "GET
+/app/update_getfilename?product_id=%s".
+
+for example suppose your webserver were compromised and returned
+../../../../../../etc/passwd as the filename.
+
+please consider something like the patch below...
+
+-dean
+
+Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c
+===================================================================
+--- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.c 2006-09-04 18:41:21.810722758 -0700
++++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c 2006-09-04 18:45:10.771752943 -0700
+@@ -92,6 +92,8 @@
+ return "Invalid userID";
+ case GEOIP_PRODUCT_ID_INVALID_ERR:
+ return "Invalid product ID or subscription expired";
++ case GEOIP_INVALID_SERVER_RESPONSE:
++ return "Server returned something unexpected";
+ default:
+ return "no error";
+ }
+@@ -420,6 +422,10 @@
+ buf[offset] = 0;
+ offset = 0;
+ tmpstr = strstr(buf, "\r\n\r\n") + 4;
++ if (tmpstr[0] == '.' || strchr(tmpstr, '/') != NULL) {
++ free(buf);
++ return GEOIP_INVALID_SERVER_RESPONSE;
++ }
+ geoipfilename = _GeoIP_full_path_to(tmpstr);
+ free(buf);
+
+Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h
+===================================================================
+--- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.h 2006-09-04 18:43:41.265969814 -0700
++++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h 2006-09-04 18:43:56.475632408 -0700
+@@ -43,7 +43,8 @@
+ GEOIP_SANITY_LOOKUP_FAIL = -22, /* Sanity check ip address lookup failed */
+ GEOIP_RENAME_ERR = -23, /* Rename error while installing db, check errno */
+ GEOIP_USER_ID_INVALID_ERR = -24, /* Invalid userID */
+- GEOIP_PRODUCT_ID_INVALID_ERR = -25 /* Invalid product ID or subscription expired */
++ GEOIP_PRODUCT_ID_INVALID_ERR = -25, /* Invalid product ID or subscription expired */
++ GEOIP_INVALID_SERVER_RESPONSE = -26
+ } GeoIPUpdateCode;
+
+ const char * GeoIP_get_error_message(int i);
+
+
--- /dev/null
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/geoip/geoip-1.4.0-r1.ebuild,v 1.1 2007/01/17 00:29:31 jokey Exp $
+
+inherit autotools eutils libtool
+
+MY_P="${P/geoip/GeoIP}"
+DESCRIPTION="easily lookup countries by IP addresses, even when Reverse DNS entries don't exist"
+HOMEPAGE="http://www.maxmind.com/geoip/api/c.shtml"
+SRC_URI="http://www.maxmind.com/download/geoip/api/c/${MY_P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE=""
+
+DEPEND=""
+RDEPEND=""
+
+S="${WORKDIR}/${MY_P}"
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ epatch "${FILESDIR}/${P}-asneeded.patch"
+ epatch "${FILESDIR}/${P}-update-vulnerability.patch"
+ eautomake
+
+ elibtoolize
+}
+
+src_compile() {
+ econf --enable-shared || die "econf failed"
+ emake || die "emake failed"
+}
+
+src_install() {
+ emake DESTDIR="${D}" install || die "einstall failed"
+}
projects / gentoo.git / commitdiff