Package: geoip-database-contrib
Version: 1.8
Severity: critical
File: geoip-data
geoip-database-contrib_update has many problems
1. general naming must be followed, and script named like other update-*
scripts
update-geoip-database-contrib
2. file update has race conditions:
- file is removed and later downloaded
- file decompresion is in place, this exposes partial file to user
3. file download-update is not safe: wget can get redirect and name file
with any name.
so in /usr/share/GeoIP can be found files like index.html and others...
4. write is done to /usr which is many cases can safely be assumed that
is read-only
Suggestions:
1. place databases to /var/lib/cache/GeoIP/
2. place symlinks from /usr/share/GeoIP/ to /var/lib/cache
3. update files in following maner
---------------
cleanup() {
rm -f "${TEMP_DB_FILE_GZ}" "${TEMP_DB_FILE}"
}
trap cleanup 0
TEMP_DB_FILE_GZ="$(mktemp -t 'GeoIP.tmp.XXXXXX.gz')"
TEMP_DB_FILE="$(mktemp -t 'GeoIP.tmp.XXXXXX')"
for ...
do
...
/usr/bin/wget -t3 -T15 "${url}" -O "${TEMP_DB_FILE_GZ}"
&& \
/bin/gunzip -f < "${TEMP_DB_FILE_GZ}" >
"${TEMP_DB_FILE}"
mv "${TEMP_DB_FILE}" "/var/lib/cache/GeoIP/${FILE}"
rm "${TEMP_DB_FILE_GZ}"
...
done
-----------------
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages geoip-database-contrib depends on:
ii debconf [debconf-2.0] 1.5.49
ii ucf 3.0025+nmu3
ii wget 1.13.4-3+deb7u1
geoip-database-contrib recommends no packages.
Versions of packages geoip-database-contrib suggests:
ii cron 3.0pl1-124
-- debconf information:
geoip-database-contrib/install-cronjob: true
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
