From owner-freebsd-bugbusters@FreeBSD.ORG  Mon Apr  5 14:57:19 2010
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 21CCC106566C
	for <bugbusters@FreeBSD.org>; Mon,  5 Apr 2010 14:57:19 +0000 (UTC)
	(envelope-from gavin@ury.york.ac.uk)
Received: from mail-gw1.york.ac.uk (mail-gw1.york.ac.uk [144.32.128.246])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A6138FC13
	for <bugbusters@FreeBSD.org>; Mon,  5 Apr 2010 14:56:54 +0000 (UTC)
Received: from ury.york.ac.uk (ury.york.ac.uk [144.32.108.81])
	by mail-gw1.york.ac.uk (8.13.6/8.13.6) with ESMTP id o35EOxI2015817;
	Mon, 5 Apr 2010 15:24:59 +0100 (BST)
Received: from gavin (helo=localhost)
	by ury.york.ac.uk with local-esmtp (Exim 4.71)
	(envelope-from <gavin@ury.york.ac.uk>)
	id 1NynEZ-0005Mn-4l; Mon, 05 Apr 2010 15:24:59 +0100
Date: Mon, 5 Apr 2010 15:24:59 +0100 (BST)
From: gavin@FreeBSD.org
X-X-Sender: gavin@ury.york.ac.uk
To: Anatoly Pugachev <mator@team.co.ru>
In-Reply-To: <20100405075437.GN6752@puga.deis.gldn.net>
Message-ID: <alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk>
References: <20100405075437.GN6752@puga.deis.gldn.net>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Sender: <gavin@ury.york.ac.uk>
X-York-MailScanner: Found to be clean
X-York-MailScanner-From: gavin@ury.york.ac.uk
Cc: bugbusters@FreeBSD.org, matorola@gmail.com
Subject: Re: insecure file handling in geoip package
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2010 14:57:19 -0000

On Mon, 5 Apr 2010, Anatoly Pugachev wrote:

> Can you please update file /usr/local/bin/geoipupdate.sh
> in GeoIP freebsd package to handle downloaded file in a more secure
> manner, i.e. with using mktemp:
>
> #!/bin/sh
> TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1
> fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
> rm $TMPFILE
>
> Since this shell script is usually put in cron with root account, attacker
> can use unix-symlink attack. Thanks.

Hi,

Are you able to submit a PR about this?  If there's some reason you can't, 
let me know and I'll submit one for you.  Please also include in the PR 
subject the full port name (is this related to the net/GeoIP port, or one 
of the other possible geoip ports?).  If you can't submit a PR, let me 
know which port it relates to and I'll submit the details.

Thanks,

Gavin