insecure file handling in geoip package
gavin at FreeBSD.org
gavin at FreeBSD.org
Mon Apr 5 14:57:19 UTC 2010
On Mon, 5 Apr 2010, Anatoly Pugachev wrote:
> Can you please update file /usr/local/bin/geoipupdate.sh
> in GeoIP freebsd package to handle downloaded file in a more secure
> manner, i.e. with using mktemp:
>
> #!/bin/sh
> TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1
> fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
> rm $TMPFILE
>
> Since this shell script is usually put in cron with root account, attacker
> can use unix-symlink attack. Thanks.
Hi,
Are you able to submit a PR about this? If there's some reason you can't,
let me know and I'll submit one for you. Please also include in the PR
subject the full port name (is this related to the net/GeoIP port, or one
of the other possible geoip ports?). If you can't submit a PR, let me
know which port it relates to and I'll submit the details.
Thanks,
Gavin
More information about the freebsd-bugbusters
mailing list