Can you please update file /usr/local/bin/geoipupdate.sh from GeoIP-1.4.6 freebsd package to handle downloaded file in a more secure manner, i.e with use of mktemp ? Since this shell script is usually put in cron with root account, attacker can use unix-symlink attack. Thanks. Fix: an example of a new update script: #!/bin/sh TMPFILE=`mktemp /tmp/geoip.XXXXXX` || exit 1 fetch -o $TMPFILE http://64.246.48.99/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gzip -dc $TMPFILE > /usr/local/share/GeoIP/GeoIP.dat rm $TMPFILE
Responsible Changed From-To: freebsd-ports-bugs->dhn Fix synopsis and assign.
Responsible Changed From-To: dhn->pgollucci committer&maintainer timeout (dhn ; 678 days) / last commit: 1 days ago
Responsible Changed From-To: pgollucci->freebsd-ports-bugs With bugmeister hat, return to pool due to assignee ENOTIME. Note that this PR was already available for commit via maintainer-timeout.
Responsible Changed From-To: freebsd-ports-bugs->scheidell I'll take it.
Anatoly: Sorry this got lost in the shuffle, how do you feel about my solution? uses no tmp files, just pipes. honors make.conf env variable DATADIR anyway. (note, this patch is against version 1.4.8, which was updated since your pr of 2 years ago) -- Michael Scheidell, CTO SECNAP Network Security Corporation http://people.freebsd.org/~scheidell ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ ______________________________________________________________________
State Changed From-To: open->feedback Ask for maintainer approval.
Michael, On Wed, Jul 4, 2012 at 5:18 AM, Michael Scheidell <scheidell@freebsd.org> wrote: > Anatoly: Sorry this got lost in the shuffle, how do you feel about my solution? > uses no tmp files, just pipes. > honors make.conf env variable DATADIR anyway. > (note, this patch is against version 1.4.8, which was updated since your pr of 2 years ago) I'm ok with your proposal fix, but it would be nice to also have a check for return code of fetch, so we accidentally not overwrite a good/consistent GeoIP.dat Thanks!
Didn't make it to bug-followup, so forwarding it -------- Original Message -------- Subject: Re: ports/145425: insecure file handling in net/GeoIP Date: Wed, 4 Jul 2012 06:54:13 +0200 From: Dennis Herrmann <dhn@FreeBSD.org> To: <scheidell@FreeBSD.org> scheidell@FreeBSD.org writes: > Synopsis: insecure file handling in net/GeoIP > > State-Changed-From-To: open->feedback > State-Changed-By: scheidell > State-Changed-When: Wed Jul 4 01:19:05 UTC 2012 > State-Changed-Why: > Ask for maintainer approval. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=145425 > Yeah looks good ;) approve! -dhn
State Changed From-To: feedback->closed Committed. Thanks!
scheidell 2012-07-04 11:22:49 UTC FreeBSD ports repository Modified files: net/GeoIP Makefile Added files: net/GeoIP/files geoipupdate.sh.in Removed files: net/GeoIP/files geoipupdate.sh Log: - Fix insecure handling of GeoIP download file - Bump PORTREVISION since we change package PR: ports/145425 Submitted by: anatoly pugachev <matorola@gmail.com> Approved by: dhn@ (maintainer) Revision Changes Path 1.54 +4 -2 ports/net/GeoIP/Makefile 1.4 +0 -5 ports/net/GeoIP/files/geoipupdate.sh (dead) 1.1 +2 -0 ports/net/GeoIP/files/geoipupdate.sh.in (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"