CVE-2007-0159

NameCVE-2007-0159
DescriptionDirectory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs406628

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
geoip (PTS)buster1.6.12-1fixed
bullseye1.6.12-7fixed
bookworm1.6.12-10fixed
trixie1.6.12-11fixed
sid1.6.12-11.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
geoipsource(unstable)1.3.17-1.1low406628

Notes

[sarge] - geoip <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems