insecure file handling in geoip package
Anatoly Pugachev
matorola at gmail.com
Tue Apr 6 10:19:14 UTC 2010
Just submitted via http://www.freebsd.org/send-pr.html web-form.
Thanks.
On Mon, Apr 5, 2010 at 6:24 PM, <gavin at freebsd.org> wrote:
> On Mon, 5 Apr 2010, Anatoly Pugachev wrote:
>
>> Can you please update file /usr/local/bin/geoipupdate.sh
>> in GeoIP freebsd package to handle downloaded file in a more secure
>> manner, i.e. with using mktemp:
>>
>> #!/bin/sh
>> TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1
>> fetch -o $TMPFILE
>> http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
>> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
>> rm $TMPFILE
>>
>> Since this shell script is usually put in cron with root account, attacker
>> can use unix-symlink attack. Thanks.
>
> Hi,
>
> Are you able to submit a PR about this? If there's some reason you can't,
> let me know and I'll submit one for you. Please also include in the PR
> subject the full port name (is this related to the net/GeoIP port, or one of
> the other possible geoip ports?). If you can't submit a PR, let me know
> which port it relates to and I'll submit the details.
More information about the freebsd-bugbusters
mailing list