Patrick Matthäi wrote: > In the case of geoip it is just a data file (like a .svg etc) with no > attacking vector. The attacker could only inject a corrupted database > and geoip will throw errors/false positions. > > Is this realy a vector for it? >
I think it there is an attack vector for it. What the example update scripts (debian/scripts/geolite*.sh) in the geoip package do is basically: wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz | gunzip Anyone who has access to the DNS server used in order to resolve geolite.maxmind.com can cause the script to download malicious code. And even though the script does not execute the code, it does use wget to download it, and pipes it through gunzip. If any unknown security vulnerabilities exist in either wget/gunzip/libgeoip then it's possible to use this as an attack vector - especially if the user puts this script in cron under the root user. (There are probably many more ways to attack, but this is the most obvious way). I hope this clarifies why I think we should find a better solution to this issue. Regards, Tom Feiner
signature.asc
Description: OpenPGP digital signature
