Date: Mon, 5 Apr 2010 15:24:59 +0100 (BST) From: gavin@FreeBSD.org To: Anatoly Pugachev <mator@team.co.ru> Cc: bugbusters@FreeBSD.org, matorola@gmail.com Subject: Re: insecure file handling in geoip package Message-ID: <alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk> In-Reply-To: <20100405075437.GN6752@puga.deis.gldn.net> References: <20100405075437.GN6752@puga.deis.gldn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 5 Apr 2010, Anatoly Pugachev wrote: > Can you please update file /usr/local/bin/geoipupdate.sh > in GeoIP freebsd package to handle downloaded file in a more secure > manner, i.e. with using mktemp: > > #!/bin/sh > TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1 > fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz > gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat > rm $TMPFILE > > Since this shell script is usually put in cron with root account, attacker > can use unix-symlink attack. Thanks. Hi, Are you able to submit a PR about this? If there's some reason you can't, let me know and I'll submit one for you. Please also include in the PR subject the full port name (is this related to the net/GeoIP port, or one of the other possible geoip ports?). If you can't submit a PR, let me know which port it relates to and I'll submit the details. Thanks, Gavin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LNX.2.00.1004051522320.20462>