From owner-freebsd-bugbusters@FreeBSD.ORG Mon Apr 5 08:10:34 2010 Return-Path: Delivered-To: bugbusters@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C839106564A for ; Mon, 5 Apr 2010 08:10:34 +0000 (UTC) (envelope-from mator@team.co.ru) Received: from puga.deis.gldn.net (puga.deis.gldn.net [194.67.22.194]) by mx1.freebsd.org (Postfix) with ESMTP id 97F0B8FC12 for ; Mon, 5 Apr 2010 08:10:33 +0000 (UTC) Received: from puga.deis.gldn.net (localhost.localdomain [127.0.0.1]) by puga.deis.gldn.net (8.14.3/8.14.3) with ESMTP id o357scnB017840; Mon, 5 Apr 2010 11:54:38 +0400 Received: (from mator@localhost) by puga.deis.gldn.net (8.14.3/8.14.3/Submit) id o357sbcY017838; Mon, 5 Apr 2010 11:54:37 +0400 Date: Mon, 5 Apr 2010 11:54:37 +0400 From: Anatoly Pugachev To: bugbusters@FreeBSD.org Message-ID: <20100405075437.GN6752@puga.deis.gldn.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-08-17) Cc: matorola@gmail.com Subject: insecure file handling in geoip package X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 08:10:34 -0000 Hello! Can you please update file /usr/local/bin/geoipupdate.sh in GeoIP freebsd package to handle downloaded file in a more secure manner, i.e. with using mktemp: #!/bin/sh TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1 fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat rm $TMPFILE Since this shell script is usually put in cron with root account, attacker can use unix-symlink attack. Thanks.