Date: Tue, 6 Apr 2010 09:46:11 GMT From: anatoly pugachev <matorola@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/145425: insecure file handling in geoip package Message-ID: <201004060946.o369kBvo092496@www.freebsd.org> Resent-Message-ID: <201004060950.o369o2cO041151@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 145425 >Category: ports >Synopsis: insecure file handling in geoip package >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 06 09:50:02 UTC 2010 >Closed-Date: >Last-Modified: >Originator: anatoly pugachev >Release: 7.2 >Organization: >Environment: FreeBSD host.domain 7.2-STABLE FreeBSD 7.2-STABLE #5: Thu Dec 10 15:57:09 MSK 2009 root@host.domain:/usr/obj/usr/src/sys/IPFGENERIC amd64 >Description: Can you please update file /usr/local/bin/geoipupdate.sh from GeoIP-1.4.6 freebsd package to handle downloaded file in a more secure manner, i.e with use of mktemp ? Since this shell script is usually put in cron with root account, attacker can use unix-symlink attack. Thanks. >How-To-Repeat: >Fix: an example of a new update script: #!/bin/sh TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1 fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat rm $TMPFILE >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004060946.o369kBvo092496>