From owner-freebsd-security@freebsd.org Mon Jan 21 20:19:02 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C13914B6785 for ; Mon, 21 Jan 2019 20:19:02 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 13CB676BFF for ; Mon, 21 Jan 2019 20:19:01 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id 2AF472077CF for ; Mon, 21 Jan 2019 20:19:00 +0000 (UTC) From: Stefan Bethke Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: PEAR packages potentially contain malicious code Message-Id: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> Date: Mon, 21 Jan 2019 21:18:59 +0100 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: 13CB676BFF X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of stb@lassitu.de designates 2a00:14b0:4200:32e0::1ea as permitted sender) smtp.mailfrom=stb@lassitu.de X-Spamd-Result: default: False [-0.25 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.24)[-0.240,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.36)[-0.361,0]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MX_GOOD(-0.01)[cached: gilb.zs64.net]; DMARC_NA(0.00)[lassitu.de]; NEURAL_SPAM_SHORT(0.09)[0.087,0]; IP_SCORE(0.07)[ipnet: 2a00:14b0::/32(0.20), asn: 13135(0.16), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13135, ipnet:2a00:14b0::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2019 20:19:02 -0000 I=E2=80=99ve just learned that the repository for the PHP PEAR set of = extensions had their distribution server compromised. https://twitter.com/pear/status/1086634503731404800 I don=E2=80=99t really work with PHP much apart from installing packages = of popular PHP web apps on my servers, so I can=E2=80=99t tell whether = this code made it onto machines building from PEAR sources, or even into = FreeBSD binary packages of PEAR extensions. Given the large user base = for these packages, some advice to FreeBSD users might be well received. Thanks, Stefan --=20 Stefan Bethke Fon +49 151 14070811