From owner-freebsd-bugbusters@FreeBSD.ORG  Mon Apr  5 08:10:34 2010
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4C839106564A
	for <bugbusters@FreeBSD.org>; Mon,  5 Apr 2010 08:10:34 +0000 (UTC)
	(envelope-from mator@team.co.ru)
Received: from puga.deis.gldn.net (puga.deis.gldn.net [194.67.22.194])
	by mx1.freebsd.org (Postfix) with ESMTP id 97F0B8FC12
	for <bugbusters@FreeBSD.org>; Mon,  5 Apr 2010 08:10:33 +0000 (UTC)
Received: from puga.deis.gldn.net (localhost.localdomain [127.0.0.1])
	by puga.deis.gldn.net (8.14.3/8.14.3) with ESMTP id o357scnB017840;
	Mon, 5 Apr 2010 11:54:38 +0400
Received: (from mator@localhost)
	by puga.deis.gldn.net (8.14.3/8.14.3/Submit) id o357sbcY017838;
	Mon, 5 Apr 2010 11:54:37 +0400
Date: Mon, 5 Apr 2010 11:54:37 +0400
From: Anatoly Pugachev <mator@team.co.ru>
To: bugbusters@FreeBSD.org
Message-ID: <20100405075437.GN6752@puga.deis.gldn.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-08-17)
Cc: matorola@gmail.com
Subject: insecure file handling in geoip package
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2010 08:10:34 -0000


Hello!

Can you please update file /usr/local/bin/geoipupdate.sh
in GeoIP freebsd package to handle downloaded file in a more secure
manner, i.e. with using mktemp:

#!/bin/sh
TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1
fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
rm $TMPFILE

Since this shell script is usually put in cron with root account, attacker
can use unix-symlink attack. Thanks.


From owner-freebsd-bugbusters@FreeBSD.ORG  Mon Apr  5 14:57:19 2010
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 21CCC106566C
	for <bugbusters@FreeBSD.org>; Mon,  5 Apr 2010 14:57:19 +0000 (UTC)
	(envelope-from gavin@ury.york.ac.uk)
Received: from mail-gw1.york.ac.uk (mail-gw1.york.ac.uk [144.32.128.246])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A6138FC13
	for <bugbusters@FreeBSD.org>; Mon,  5 Apr 2010 14:56:54 +0000 (UTC)
Received: from ury.york.ac.uk (ury.york.ac.uk [144.32.108.81])
	by mail-gw1.york.ac.uk (8.13.6/8.13.6) with ESMTP id o35EOxI2015817;
	Mon, 5 Apr 2010 15:24:59 +0100 (BST)
Received: from gavin (helo=localhost)
	by ury.york.ac.uk with local-esmtp (Exim 4.71)
	(envelope-from <gavin@ury.york.ac.uk>)
	id 1NynEZ-0005Mn-4l; Mon, 05 Apr 2010 15:24:59 +0100
Date: Mon, 5 Apr 2010 15:24:59 +0100 (BST)
From: gavin@FreeBSD.org
X-X-Sender: gavin@ury.york.ac.uk
To: Anatoly Pugachev <mator@team.co.ru>
In-Reply-To: <20100405075437.GN6752@puga.deis.gldn.net>
Message-ID: <alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk>
References: <20100405075437.GN6752@puga.deis.gldn.net>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Sender: <gavin@ury.york.ac.uk>
X-York-MailScanner: Found to be clean
X-York-MailScanner-From: gavin@ury.york.ac.uk
Cc: bugbusters@FreeBSD.org, matorola@gmail.com
Subject: Re: insecure file handling in geoip package
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2010 14:57:19 -0000

On Mon, 5 Apr 2010, Anatoly Pugachev wrote:

> Can you please update file /usr/local/bin/geoipupdate.sh
> in GeoIP freebsd package to handle downloaded file in a more secure
> manner, i.e. with using mktemp:
>
> #!/bin/sh
> TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1
> fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
> rm $TMPFILE
>
> Since this shell script is usually put in cron with root account, attacker
> can use unix-symlink attack. Thanks.

Hi,

Are you able to submit a PR about this?  If there's some reason you can't, 
let me know and I'll submit one for you.  Please also include in the PR 
subject the full port name (is this related to the net/GeoIP port, or one 
of the other possible geoip ports?).  If you can't submit a PR, let me 
know which port it relates to and I'll submit the details.

Thanks,

Gavin

From owner-freebsd-bugbusters@FreeBSD.ORG  Tue Apr  6 10:19:14 2010
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0ACA3106564A;
	Tue,  6 Apr 2010 10:19:14 +0000 (UTC)
	(envelope-from matorola@gmail.com)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154])
	by mx1.freebsd.org (Postfix) with ESMTP id 63E1B8FC08;
	Tue,  6 Apr 2010 10:19:13 +0000 (UTC)
Received: by fg-out-1718.google.com with SMTP id l26so873280fgb.13
	for <multiple recipients>; Tue, 06 Apr 2010 03:19:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:received:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=b8icX0B01x7QFrbTFOxmxzHeY11KoPyT11Uyoes0IGk=;
	b=e2pXJ7TziROcllyyKuoXO/Bo1Ev9/dipIBYgokXPaTCmUgvbKlic4qQhCBcXxS7XD5
	zQREvux2Yq3uNObP1uhapmp9jC7w1l9q85vSm4MuDSgJNMrMQe5Az5kRNfPznKI7je2q
	NYwP/mdWnIGI2MRte1EHEcaGD7J/6WsP2dQhQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=hNwxUmdy+KN9uAnfEbS6NBRpuloG8vTi6lkzbAnd15ZkWfZ6s0YBf62+c4wvDSLn4E
	GBbE6oksNrYdY8BekHyb+3rfPvS5W4UowHG2f12Iq8xZOtQjdxFiD1EbK6Ih3lXZgtEQ
	P/kwKitAvIowCzKjggkw7OE8RsMAJIU3vgTfw=
MIME-Version: 1.0
Received: by 10.86.83.5 with HTTP; Tue, 6 Apr 2010 02:48:46 -0700 (PDT)
In-Reply-To: <alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk>
References: <20100405075437.GN6752@puga.deis.gldn.net>
	<alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk>
Date: Tue, 6 Apr 2010 13:48:46 +0400
Received: by 10.87.20.36 with SMTP id x36mr10594883fgi.14.1270547326894; Tue, 
	06 Apr 2010 02:48:46 -0700 (PDT)
Message-ID: <n2zd119c8b21004060248gdb317272yf71a6e63b72f8d1d@mail.gmail.com>
From: Anatoly Pugachev <matorola@gmail.com>
To: gavin@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: bugbusters@freebsd.org, Anatoly Pugachev <mator@team.co.ru>
Subject: Re: insecure file handling in geoip package
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2010 10:19:14 -0000

Just submitted via http://www.freebsd.org/send-pr.html web-form.
Thanks.

On Mon, Apr 5, 2010 at 6:24 PM,  <gavin@freebsd.org> wrote:
> On Mon, 5 Apr 2010, Anatoly Pugachev wrote:
>
>> Can you please update file /usr/local/bin/geoipupdate.sh
>> in GeoIP freebsd package to handle downloaded file in a more secure
>> manner, i.e. with using mktemp:
>>
>> #!/bin/sh
>> TMPFILE=3D`mktemp /tmp/geoip.XXXXXX` || exit 1
>> fetch -o $TMPFILE
>> http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
>> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
>> rm $TMPFILE
>>
>> Since this shell script is usually put in cron with root account, attack=
er
>> can use unix-symlink attack. Thanks.
>
> Hi,
>
> Are you able to submit a PR about this? =A0If there's some reason you can=
't,
> let me know and I'll submit one for you. =A0Please also include in the PR
> subject the full port name (is this related to the net/GeoIP port, or one=
 of
> the other possible geoip ports?). =A0If you can't submit a PR, let me kno=
w
> which port it relates to and I'll submit the details.