Date: Tue, 6 Apr 2010 13:48:46 +0400 From: Anatoly Pugachev <matorola@gmail.com> To: gavin@freebsd.org Cc: bugbusters@freebsd.org, Anatoly Pugachev <mator@team.co.ru> Subject: Re: insecure file handling in geoip package Message-ID: <n2zd119c8b21004060248gdb317272yf71a6e63b72f8d1d@mail.gmail.com> In-Reply-To: <alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk> References: <20100405075437.GN6752@puga.deis.gldn.net> <alpine.LNX.2.00.1004051522320.20462@ury.york.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Just submitted via http://www.freebsd.org/send-pr.html web-form. Thanks. On Mon, Apr 5, 2010 at 6:24 PM, <gavin@freebsd.org> wrote: > On Mon, 5 Apr 2010, Anatoly Pugachev wrote: > >> Can you please update file /usr/local/bin/geoipupdate.sh >> in GeoIP freebsd package to handle downloaded file in a more secure >> manner, i.e. with using mktemp: >> >> #!/bin/sh >> TMPFILE=3D`mktemp /tmp/geoip.XXXXXX` || exit 1 >> fetch -o $TMPFILE >> http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz >> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat >> rm $TMPFILE >> >> Since this shell script is usually put in cron with root account, attack= er >> can use unix-symlink attack. Thanks. > > Hi, > > Are you able to submit a PR about this? =A0If there's some reason you can= 't, > let me know and I'll submit one for you. =A0Please also include in the PR > subject the full port name (is this related to the net/GeoIP port, or one= of > the other possible geoip ports?). =A0If you can't submit a PR, let me kno= w > which port it relates to and I'll submit the details.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?n2zd119c8b21004060248gdb317272yf71a6e63b72f8d1d>