From owner-freebsd-bugbusters@FreeBSD.ORG  Tue Apr  6 10:19:14 2010
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0ACA3106564A;
	Tue,  6 Apr 2010 10:19:14 +0000 (UTC)
	(envelope-from matorola@gmail.com)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154])
	by mx1.freebsd.org (Postfix) with ESMTP id 63E1B8FC08;
	Tue,  6 Apr 2010 10:19:13 +0000 (UTC)
Received: by fg-out-1718.google.com with SMTP id l26so873280fgb.13
	for <multiple recipients>; Tue, 06 Apr 2010 03:19:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:received:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=b8icX0B01x7QFrbTFOxmxzHeY11KoPyT11Uyoes0IGk=;
	b=e2pXJ7TziROcllyyKuoXO/Bo1Ev9/dipIBYgokXPaTCmUgvbKlic4qQhCBcXxS7XD5
	zQREvux2Yq3uNObP1uhapmp9jC7w1l9q85vSm4MuDSgJNMrMQe5Az5kRNfPznKI7je2q
	NYwP/mdWnIGI2MRte1EHEcaGD7J/6WsP2dQhQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=hNwxUmdy+KN9uAnfEbS6NBRpuloG8vTi6lkzbAnd15ZkWfZ6s0YBf62+c4wvDSLn4E
	GBbE6oksNrYdY8BekHyb+3rfPvS5W4UowHG2f12Iq8xZOtQjdxFiD1EbK6Ih3lXZgtEQ
	P/kwKitAvIowCzKjggkw7OE8RsMAJIU3vgTfw=
MIME-Version: 1.0
Received: by 10.86.83.5 with HTTP; Tue, 6 Apr 2010 02:48:46 -0700 (PDT)
In-Reply-To: <alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk>
References: <20100405075437.GN6752@puga.deis.gldn.net>
	<alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk>
Date: Tue, 6 Apr 2010 13:48:46 +0400
Received: by 10.87.20.36 with SMTP id x36mr10594883fgi.14.1270547326894; Tue, 
	06 Apr 2010 02:48:46 -0700 (PDT)
Message-ID: <n2zd119c8b21004060248gdb317272yf71a6e63b72f8d1d@mail.gmail.com>
From: Anatoly Pugachev <matorola@gmail.com>
To: gavin@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: bugbusters@freebsd.org, Anatoly Pugachev <mator@team.co.ru>
Subject: Re: insecure file handling in geoip package
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2010 10:19:14 -0000

Just submitted via http://www.freebsd.org/send-pr.html web-form.
Thanks.

On Mon, Apr 5, 2010 at 6:24 PM,  <gavin@freebsd.org> wrote:
> On Mon, 5 Apr 2010, Anatoly Pugachev wrote:
>
>> Can you please update file /usr/local/bin/geoipupdate.sh
>> in GeoIP freebsd package to handle downloaded file in a more secure
>> manner, i.e. with using mktemp:
>>
>> #!/bin/sh
>> TMPFILE=3D`mktemp /tmp/geoip.XXXXXX` || exit 1
>> fetch -o $TMPFILE
>> http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
>> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
>> rm $TMPFILE
>>
>> Since this shell script is usually put in cron with root account, attack=
er
>> can use unix-symlink attack. Thanks.
>
> Hi,
>
> Are you able to submit a PR about this? =A0If there's some reason you can=
't,
> let me know and I'll submit one for you. =A0Please also include in the PR
> subject the full port name (is this related to the net/GeoIP port, or one=
 of
> the other possible geoip ports?). =A0If you can't submit a PR, let me kno=
w
> which port it relates to and I'll submit the details.