Date: Mon, 5 Apr 2010 11:54:37 +0400 From: Anatoly Pugachev <mator@team.co.ru> To: bugbusters@FreeBSD.org Cc: matorola@gmail.com Subject: insecure file handling in geoip package Message-ID: <20100405075437.GN6752@puga.deis.gldn.net>
next in thread | raw e-mail | index | archive | help
Hello! Can you please update file /usr/local/bin/geoipupdate.sh in GeoIP freebsd package to handle downloaded file in a more secure manner, i.e. with using mktemp: #!/bin/sh TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1 fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat rm $TMPFILE Since this shell script is usually put in cron with root account, attacker can use unix-symlink attack. Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100405075437.GN6752>