From owner-freebsd-ports@FreeBSD.ORG Sun Jun 22 12:31:54 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B93870F; Sun, 22 Jun 2014 12:31:54 +0000 (UTC) Received: from mail.openmailbox.org (62-210-83-87.rev.poneytelecom.eu [62.210.83.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 19CAA2211; Sun, 22 Jun 2014 12:31:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.openmailbox.org (Postfix) with ESMTP id 4FEB62E0945; Sun, 22 Jun 2014 14:31:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org; h=user-agent:message-id:subject:subject:from:from:date:date :content-transfer-encoding:content-type:content-type :mime-version:received:received; s=openmailbox; t=1403440310; bh=Z+YaUAvC7G48P3ogZ301dEi3d2jf50X46AthadRK0pY=; b=LOTDvMOmspxa V1PThTKuqBJb1kMEbgIo9pQaDbHR0NVLjptbbfAbAINCZ14tWs671sYWlU48IGkx kVJ8zW1Ig1Z2axX4AMbxJQcmCtDtDXd428JvGLxLxI/OJIVTG/rsPi7uztUFIkS+ ij72et8SyTq0p+A8j6NzbU+UfnpZZHw= X-Virus-Scanned: at openmailbox.org Received: from mail.openmailbox.org ([127.0.0.1]) by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OCKxY3Bnhig; Sun, 22 Jun 2014 14:31:50 +0200 (CEST) Received: from www.openmailbox.org (localhost [127.0.0.1]) by mail.openmailbox.org (Postfix) with ESMTP id 66D802E03A3; Sun, 22 Jun 2014 14:31:50 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 22 Jun 2014 22:31:50 +1000 From: philj@openmailbox.org To: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Ports tree insecure because of IGNOREFILES+IGNORE Message-ID: X-Sender: philj@openmailbox.org User-Agent: Roundcube Webmail/1.0.0 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jun 2014 12:31:54 -0000 The IGNOREFILES+IGNORE mechanism allows port maintainers to disable checksum checks. I feel that this mechanism is a stain on an otherwise fantastic ports system. It reduces user confidence in security and makes us all sitting ducks for sophisticated adversaries. Possible changes: (i) removing the IGNOREFILES+IGNORE mechanism entirely if practical. (ii) centralizing the mechanism with a vetting process involving a (highly paranoid) security officer. (iii) requiring users to add a switch to /etc/make.conf or otherwise to OK installation of ports with checksum-disabled components. Awareness and choice breed confidence. =================================== CATEGORY 1: PROBLEMATIC EXECUTABLES =================================== biology/platon ----------------------------------------------------------------------------- # This port only has snapshot archive IGNOREFILES= platon.tar.gz SHA256 (platon.tar.gz) = IGNORE ----------------------------------------------------------------------------- Notes: executable. games/xroach ----------------------------------------------------------------------------- IGNOREFILES= ${DISTFILES} SHA256 (xroach.tar.gz) = IGNORE ----------------------------------------------------------------------------- Notes: executable. net/bindtest ----------------------------------------------------------------------------- IGNOREFILES= ${DISTNAME}${EXTRACT_SUFX} SHA256 (bindtest.tgz) = IGNORE ----------------------------------------------------------------------------- Notes: executable. print/lgrind ----------------------------------------------------------------------------- IGNOREFILES= ${PORTNAME}.tar.gz SHA256 (lgrind/lgrind.tar.gz) = IGNORE ----------------------------------------------------------------------------- Notes: executable. It doesn't checksum the distfile, but it *does* checksum the distfile's contents. This offers less resistance for a maliciously corrupted tarball. Checksumming the distfile itself guards access to the archiver programs and libraries, among other things. Another problem with this checksum-the-contents approach is that there appears to be no protection against extraneous contents, which could be a problem if wildcards are used somewhere in the build/install process. www/lifetype ----------------------------------------------------------------------------- IGNOREFILES= ${CONTRIBE_VERSION}__all_plugins.zip \ ${CONTRIBE_VERSION}__all_templates.zip SHA256 (1.2__all_plugins.zip) = IGNORE SHA256 (1.2__all_templates.zip) = IGNORE ----------------------------------------------------------------------------- Notes: executable (PHP files, etc.). ======================================= CATEGORY 2: PROBLEMATIC NON-EXECUTABLES ======================================= These include documentation files and program data files. Malicious corruption would target any code on the system that processes the files (see japanese/edict below for an example of how a program can be targeted during the build process). A lot of the time, the risk is no doubt negligible, to the point where it's more of a risk to use the ports system itself, with fetch(1) and other helper programs as potential targets. devel/root-doc ----------------------------------------------------------------------------- IGNOREFILES= ${DISTFILES} SHA256 (html502.tar.gz) = IGNORE ----------------------------------------------------------------------------- Notes: intended to be documentation only, but effectively an opaque tarball crafted in an unknown manner and containing unknown contents that gets a free ride beyond the checksum point. games/ftjava ----------------------------------------------------------------------------- IGNOREFILES= FTJava_Documentation.html faq.html FTJava_Linux.html SHA256 (ftjava/FTJava_Documentation.html) = IGNORE SHA256 (ftjava/faq.html) = IGNORE SHA256 (ftjava/FTJava_Linux.html) = IGNORE ----------------------------------------------------------------------------- Notes: documentation. japanese/edict ----------------------------------------------------------------------------- # # These change too often and are not made into executables. # IGNOREFILES= ${DICTFILES} ${DOCFILES} SHA256 (edict/edict.gz) = IGNORE SHA256 (edict/edicth) = IGNORE SHA256 (edict/enamdict.gz) = IGNORE SHA256 (edict/compdic.gz) = IGNORE SHA256 (edict/j_places.gz) = IGNORE SHA256 (edict/ediclsd3.zip) = IGNORE SHA256 (edict/kanjidic.gz) = IGNORE SHA256 (edict/kanjd212.gz) = IGNORE SHA256 (edict/lawgledt.zip) = IGNORE SHA256 (edict/lingdic.zip) = IGNORE SHA256 (edict/geodic.gz) = IGNORE SHA256 (edict/pandpdic.zip) = IGNORE SHA256 (edict/aviation.zip) = IGNORE SHA256 (edict/findic.zip) = IGNORE SHA256 (edict/mktdic.zip) = IGNORE SHA256 (edict/4jword3_edict.zip) = IGNORE SHA256 (edict/concrete.zip) = IGNORE SHA256 (edict/edict_doc.html) = IGNORE SHA256 (edict/edicth.doc) = IGNORE SHA256 (edict/enamdict_doc.txt) = IGNORE SHA256 (edict/enamdict_doc.html) = IGNORE SHA256 (edict/j_places.inf) = IGNORE SHA256 (edict/kanjidic.doc) = IGNORE SHA256 (edict/kanjd212.doc) = IGNORE SHA256 (edict/ediclsd3.rme) = IGNORE SHA256 (edict/lawgldoc.new) = IGNORE SHA256 (edict/lingdic.txt) = IGNORE SHA256 (edict/geodic.doc) = IGNORE SHA256 (edict/aviation.txt) = IGNORE SHA256 (edict/findic.doc) = IGNORE SHA256 (edict/mktdic.doc) = IGNORE SHA256 (edict/4jword3_inf.txt) = IGNORE SHA256 (edict/concrete.doc) = IGNORE ----------------------------------------------------------------------------- Notes: program data files that get a free ride beyond the checksum point, including having the port Makefile run the dictionaries through xjdxgen, a EUC-JP index generator last updated in 1998 that can easily be forced to overflow malloc'd memory with sizeof(long) bytes of data because of an off-by- one index calculation: jindex = (unsigned long *)malloc(indlen); // ... if (indptr > indlen/sizeof(long))) { printf("Index table overflow. Dictionary too large?\n"); exit(1); } Here we write sizeof(long) bytes past a 12-byte buffer: 157 indlen = (diclen * 3*(sizeof(long)/4))/4; (gdb) 158 jindex = (unsigned long *)malloc(indlen); (gdb) 159 if(jindex == NULL) (gdb) p indlen $1 = 12 (gdb) x/16b jindex 0x28210030: 0 0 0 0 0 0 0 0 0x28210038: 0 0 0 0 0 0 0 0 (gdb) b 255 if indptr == 3 Breakpoint 3 at 0x8048fa7: file xjdxgen.c, line 255. (gdb) c Continuing. 255 jindex[indptr] = schi; (gdb) p indptr $2 = 3 (gdb) x/16b jindex 0x28210030: 0 0 0 0 1 0 0 0 0x28210038: 4 0 0 0 0 0 0 0 (gdb) n 256 cstrp = 1; (gdb) x/16b jindex 0x28210030: 0 0 0 0 1 0 0 0 0x28210038: 4 0 0 0 7 0 0 0 (gdb) There are potentially more severe problems that would require significantly more time to examine. This port is relatively inconsequential. The above is purely to illustrate a wider point. mail/spambnc ----------------------------------------------------------------------------- IGNOREFILES= quickstart.shtml IGNOREFILES+= upgrading.shtml SHA256 (spambnc-20060416/quickstart.shtml) = IGNORE SHA256 (spambnc-20060416/upgrading.shtml) = IGNORE ----------------------------------------------------------------------------- Notes: documentation. math/libflame ----------------------------------------------------------------------------- IGNOREFILES= libflame.pdf SHA256 (libflame.pdf) = IGNORE ----------------------------------------------------------------------------- Notes: documentation. net-mgmt/kismet ----------------------------------------------------------------------------- IGNOREFILES= manuf SHA256 (kismet/manuf) = IGNORE ----------------------------------------------------------------------------- Notes: documentation. net/ntopng ----------------------------------------------------------------------------- IGNOREFILES= GeoLiteCity.dat.gz GeoLiteCityv6.dat.gz \ GeoIPASNum.dat.gz GeoIPASNumv6.dat.gz SHA256 (GeoLiteCity.dat.gz) = IGNORE SHA256 (GeoLiteCityv6.dat.gz) = IGNORE SHA256 (GeoIPASNum.dat.gz) = IGNORE SHA256 (GeoIPASNumv6.dat.gz) = IGNORE ----------------------------------------------------------------------------- Notes: program data files with uninvestigated impact. sysutils/apcupsd ----------------------------------------------------------------------------- IGNOREFILES= ${PORTNAME}.pdf SHA256 (apcupsd.pdf) = IGNORE ----------------------------------------------------------------------------- Notes: documentation. www/dillo2 ----------------------------------------------------------------------------- IGNOREFILES+= hyph-${_l}.pat.txt SHA256 (dillo/hyph-af.pat.txt) = IGNORE SHA256 (dillo/hyph-as.pat.txt) = IGNORE SHA256 (dillo/hyph-bg.pat.txt) = IGNORE SHA256 (dillo/hyph-bn.pat.txt) = IGNORE SHA256 (dillo/hyph-ca.pat.txt) = IGNORE SHA256 (dillo/hyph-cop.pat.txt) = IGNORE SHA256 (dillo/hyph-cs.pat.txt) = IGNORE SHA256 (dillo/hyph-cy.pat.txt) = IGNORE SHA256 (dillo/hyph-da.pat.txt) = IGNORE SHA256 (dillo/hyph-de-1901.pat.txt) = IGNORE SHA256 (dillo/hyph-de-1996.pat.txt) = IGNORE SHA256 (dillo/hyph-de-ch-1901.pat.txt) = IGNORE SHA256 (dillo/hyph-el-monoton.pat.txt) = IGNORE SHA256 (dillo/hyph-el-polyton.pat.txt) = IGNORE SHA256 (dillo/hyph-en-gb.pat.txt) = IGNORE SHA256 (dillo/hyph-en-us.pat.txt) = IGNORE SHA256 (dillo/hyph-eo.pat.txt) = IGNORE SHA256 (dillo/hyph-es.pat.txt) = IGNORE SHA256 (dillo/hyph-et.pat.txt) = IGNORE SHA256 (dillo/hyph-eu.pat.txt) = IGNORE SHA256 (dillo/hyph-fi.pat.txt) = IGNORE SHA256 (dillo/hyph-fr.pat.txt) = IGNORE SHA256 (dillo/hyph-fur.pat.txt) = IGNORE SHA256 (dillo/hyph-ga.pat.txt) = IGNORE SHA256 (dillo/hyph-gl.pat.txt) = IGNORE SHA256 (dillo/hyph-grc.pat.txt) = IGNORE SHA256 (dillo/hyph-gu.pat.txt) = IGNORE SHA256 (dillo/hyph-hi.pat.txt) = IGNORE SHA256 (dillo/hyph-hr.pat.txt) = IGNORE SHA256 (dillo/hyph-hsb.pat.txt) = IGNORE SHA256 (dillo/hyph-hu.pat.txt) = IGNORE SHA256 (dillo/hyph-hy.pat.txt) = IGNORE SHA256 (dillo/hyph-ia.pat.txt) = IGNORE SHA256 (dillo/hyph-id.pat.txt) = IGNORE SHA256 (dillo/hyph-is.pat.txt) = IGNORE SHA256 (dillo/hyph-it.pat.txt) = IGNORE SHA256 (dillo/hyph-kmr.pat.txt) = IGNORE SHA256 (dillo/hyph-kn.pat.txt) = IGNORE SHA256 (dillo/hyph-la.pat.txt) = IGNORE SHA256 (dillo/hyph-lt.pat.txt) = IGNORE SHA256 (dillo/hyph-lv.pat.txt) = IGNORE SHA256 (dillo/hyph-ml.pat.txt) = IGNORE SHA256 (dillo/hyph-mn-cyrl.pat.txt) = IGNORE SHA256 (dillo/hyph-mr.pat.txt) = IGNORE SHA256 (dillo/hyph-mul-ethi.pat.txt) = IGNORE SHA256 (dillo/hyph-nb.pat.txt) = IGNORE SHA256 (dillo/hyph-nl.pat.txt) = IGNORE SHA256 (dillo/hyph-nn.pat.txt) = IGNORE SHA256 (dillo/hyph-or.pat.txt) = IGNORE SHA256 (dillo/hyph-pa.pat.txt) = IGNORE SHA256 (dillo/hyph-pl.pat.txt) = IGNORE SHA256 (dillo/hyph-pms.pat.txt) = IGNORE SHA256 (dillo/hyph-pt.pat.txt) = IGNORE SHA256 (dillo/hyph-rm.pat.txt) = IGNORE SHA256 (dillo/hyph-ro.pat.txt) = IGNORE SHA256 (dillo/hyph-ru.pat.txt) = IGNORE SHA256 (dillo/hyph-sa.pat.txt) = IGNORE SHA256 (dillo/hyph-sh-cyrl.pat.txt) = IGNORE SHA256 (dillo/hyph-sh-latn.pat.txt) = IGNORE SHA256 (dillo/hyph-sk.pat.txt) = IGNORE SHA256 (dillo/hyph-sl.pat.txt) = IGNORE SHA256 (dillo/hyph-sr-cyrl.pat.txt) = IGNORE SHA256 (dillo/hyph-sv.pat.txt) = IGNORE SHA256 (dillo/hyph-ta.pat.txt) = IGNORE SHA256 (dillo/hyph-te.pat.txt) = IGNORE SHA256 (dillo/hyph-tk.pat.txt) = IGNORE SHA256 (dillo/hyph-tr.pat.txt) = IGNORE SHA256 (dillo/hyph-uk.pat.txt) = IGNORE SHA256 (dillo/hyph-zh-latn-pinyin.pat.txt) = IGNORE ----------------------------------------------------------------------------- Notes: program data files with uninvestigated impact. www/thttpd ----------------------------------------------------------------------------- IGNOREFILES= notes.html SHA256 (thttpd/notes.html) = IGNORE ----------------------------------------------------------------------------- Notes: documentation. ========================= CATEGORY 3: OK... FOR NOW ========================= "OK" here means the user is at least making a conscious decision. biology/blast ----------------------------------------------------------------------------- # Distfiles change rapidly, but since they can only be downloaded from # the author, this is not a problem. IGNOREFILES= ${DISTFILES} SHA256 (blast2.freebsd-6.x-i686.tar.Z) = IGNORE SHA256 (blast2.freebsd-6.x-x64.tar.Z) = IGNORE ----------------------------------------------------------------------------- Notes: executable code, but port asks user to download distfile manually. chinese/msttf ----------------------------------------------------------------------------- IGNOREFILES= ${MSTTF_SIMHEI} ${MSTTF_SIMSUN} ${MSTTF_TAHOMA} SHA256 (msttf/simhei.ttf) = IGNORE SHA256 (msttf/simsun.ttc) = IGNORE SHA256 (msttf/tahoma.ttf) = IGNORE ----------------------------------------------------------------------------- Notes: port asks user to grab three font files from Windows computer. multimedia/pvr250 ----------------------------------------------------------------------------- IGNOREFILES= hcwPVRP2.sys # Varies from month to month SHA256 (hcwPVRP2.sys) = IGNORE ----------------------------------------------------------------------------- Notes: binary driver, but port asks user to grab it from the product CD. multimedia/pvrxxx ----------------------------------------------------------------------------- IGNOREFILES= hcwPVRP2.sys # Varies from month to month SHA256 (hcwPVRP2.sys) = IGNORE ----------------------------------------------------------------------------- Notes: binary driver, but port asks user to grab it from the product CD.