freebsd-bugbusters Digest, Vol 220, Issue 2
freebsd-bugbu...@freebsd.org
freebsd-b...@freebsd.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters
or, via email, send a message with subject or body 'help' to
freebsd-bugbu...@freebsd.org
You can reach the person managing the list at
freebsd-bugb...@freebsd.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-bugbusters digest..."
Today's Topics:
1. Re: insecure file handling in geoip package (ga...@FreeBSD.org)
2. Re: insecure file handling in geoip package (Anatoly Pugachev)
----------------------------------------------------------------------
Message: 1
Date: Mon, 5 Apr 2010 15:24:59 +0100 (BST)
From: ga...@FreeBSD.org
Subject: Re: insecure file handling in geoip package
To: Anatoly Pugachev <ma...@team.co.ru>
Cc: bugbu...@FreeBSD.org, mato...@gmail.com
Message-ID: <alpine.LNX.2.00.1...@ury.york.ac.uk>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 5 Apr 2010, Anatoly Pugachev wrote:
> Can you please update file /usr/local/bin/geoipupdate.sh
> in GeoIP freebsd package to handle downloaded file in a more secure
> manner, i.e. with using mktemp:
>
> #!/bin/sh
> TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1
> fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
> rm $TMPFILE
>
> Since this shell script is usually put in cron with root account, attacker
> can use unix-symlink attack. Thanks.
Hi,
Are you able to submit a PR about this? If there's some reason you can't,
let me know and I'll submit one for you. Please also include in the PR
subject the full port name (is this related to the net/GeoIP port, or one
of the other possible geoip ports?). If you can't submit a PR, let me
know which port it relates to and I'll submit the details.
Thanks,
Gavin
------------------------------
Message: 2
Date: Tue, 6 Apr 2010 13:48:46 +0400
From: Anatoly Pugachev <mato...@gmail.com>
Subject: Re: insecure file handling in geoip package
To: ga...@freebsd.org
Cc: bugbu...@freebsd.org, Anatoly Pugachev <ma...@team.co.ru>
Message-ID:
<n2zd119c8b21004060248gd...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Just submitted via http://www.freebsd.org/send-pr.html web-form.
Thanks.
On Mon, Apr 5, 2010 at 6:24 PM, <ga...@freebsd.org> wrote:
> On Mon, 5 Apr 2010, Anatoly Pugachev wrote:
>
>> Can you please update file /usr/local/bin/geoipupdate.sh
>> in GeoIP freebsd package to handle downloaded file in a more secure
>> manner, i.e. with using mktemp:
>>
>> #!/bin/sh
>> TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1
>> fetch -o $TMPFILE
>> http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
>> gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat
>> rm $TMPFILE
>>
>> Since this shell script is usually put in cron with root account, attacker
>> can use unix-symlink attack. Thanks.
>
> Hi,
>
> Are you able to submit a PR about this? If there's some reason you can't,
> let me know and I'll submit one for you. Please also include in the PR
> subject the full port name (is this related to the net/GeoIP port, or one of
> the other possible geoip ports?). If you can't submit a PR, let me know
> which port it relates to and I'll submit the details.
------------------------------
End of freebsd-bugbusters Digest, Vol 220, Issue 2
**************************************************