Red Hat Bugzilla – Bug 832913
GeoIP: crash due to lack of segment size validation
Last modified: 2015-05-14 02:28:38 EDT
Created attachment 592554 [details]
large.c crashes in the GEOIP_MEMORY_CACHE and GEOIP_MMAP_CACHE modes
because the segment size is never validated against the file size. In
GEOIP_INDEX_CACHE mode, it allocates a large amount of memory,
potentially leading to a denial of service.
I'm filing this as a private bug even though this is not a security vulnerability as such because no trust boundary is crossed. Please treat the reproducer as confidential.
Created attachment 592555 [details]
Data file used by large.c.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
There is no information in this bug report that would allow me to identify the problem. I don't have access to Bug #832899 either so that doesn't help.
Florian, are you still wanting to treat this as confidential or is it OK to report this on upstream's github account? Upstream seems to be working towards a 1.5.0 release at the moment.
Also I don't have access to Bug #832919, which appears to a Fedora GeoIP bug according to https://admin.fedoraproject.org/pkgdb/acls/bugs/GeoIP - are you or someone else dealing with upstream for that one?
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.
No change since F-16.
Florian, are you still wanting to treat this as confidential or is it OK to report this on upstream's github account?
It's fine to report this upstream. Sorry for the delay.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
This message is a notice that Fedora 19 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 19. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 19 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Philip, did anything happen with this upstream?
(In reply to Paul Howarth from comment #11)
> Philip, did anything happen with this upstream?
I believe it was fixed. Let me check github.
(In reply to Philip Prindeville from comment #12)
> I believe it was fixed. Let me check github.
Nope, wasn't fixed. Since neither of us have access to the original bug, I was thinking that Florian was going to report it upstream but I'm not seeing a corresponding fix.
I am a developer at MaxMind. Although I cannot find this particular report in our bug tracker, I believe this issue was fixed in 1.5.1. In particular, I think this commit fixed the issue:
I attempted to run the attached C file and it was unable to open the file in all modes.
As all current Fedora releases have version 1.5.1, I think we can close this one. Florian, do you agree?
Thanks for the info Greg. Perhaps you could take a look at Bug #1180874, in which the geoiplookup tool segfaults when pointed to a corrupt file, in this case a .csv file rather than an actual database file? I was able to reproduce the crash using the csv file from https://github.com/mlsecproject/combine/blob/master/data/GeoIPASNum2.csv
$ geoiplookup -f GeoIPASNum2.csv 18.104.22.168
Error Traversing Database for ipnum = 1161244672 - Perhaps database is corrupt?
Segmentation fault (core dumped)
(In reply to Greg Oschwald from comment #14)
> I am a developer at MaxMind. Although I cannot find this particular report
> in our bug tracker, I believe this issue was fixed in 1.5.1. In particular,
> I think this commit fixed the issue:
This commit is definitely related to this bug. I'm a bit worried that this commit does not address the overflow in the multiplication (which may be harmless). It's also unclear what happens with a 32-bit off_t. It's usually defined as long, so it has higher integer conversion rank than unsigned int, and the comparison will be signed, which is clearly not what is intended here.
We believe the changes in this commit address the lingering concerns:
This will be in our next release.
GeoIP-GeoLite-data-2015.04-1.el5,geoipupdate-2.2.1-2.el5,GeoIP-1.6.5-1.el5 has been submitted as an update for Fedora EPEL 5.
GeoIP-GeoLite-data-2015.04-1.el6,geoipupdate-2.2.1-2.el6,GeoIP-1.6.5-1.el6 has been submitted as an update for Fedora EPEL 6.
GeoIP-GeoLite-data-2015.04-1.fc21,geoipupdate-2.2.1-2.fc21,GeoIP-1.6.5-1.fc21 has been submitted as an update for Fedora 21.
GeoIP-GeoLite-data-2015.04-1.fc22,geoipupdate-2.2.1-2.fc22,GeoIP-1.6.5-1.fc22 has been submitted as an update for Fedora 22.
GeoIP-GeoLite-data-2015.04-1.fc20,geoipupdate-2.2.1-2.fc20,GeoIP-1.6.5-1.fc20 has been submitted as an update for Fedora 20.
I've built updates to GeoIP 1.6.5 for all current Fedora releases, plus EPEL-5 and EPEL-6, which should address this.
However, EL-7 ships with GeoIP 1.5.0 so it still may be an issue there.
GeoIP-GeoLite-data-2015.04-1.fc22, geoipupdate-2.2.1-2.fc22, GeoIP-1.6.5-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
GeoIP-GeoLite-data-2015.04-1.fc20, geoipupdate-2.2.1-2.fc20, GeoIP-1.6.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
GeoIP-GeoLite-data-2015.04-1.fc21, geoipupdate-2.2.1-2.fc21, GeoIP-1.6.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
geoipupdate-2.2.1-2.el6, GeoIP-1.6.5-1.el6, GeoIP-GeoLite-data-2015.04-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
geoipupdate-2.2.1-2.el5, GeoIP-GeoLite-data-2015.04-2.el5, GeoIP-1.6.5-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.