Date: Tue, 22 Jan 2019 17:03:11 +0100 From: Stefan Bethke <stb@lassitu.de> To: Jochen Neumeister <joneum@FreeBSD.org> Cc: Remko Lodder <remko@FreeBSD.org>, freebsd-security@freebsd.org, "ports-secteam@freebsd.org" <ports-secteam@FreeBSD.org> Subject: Re: PEAR packages potentially contain malicious code Message-ID: <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> In-Reply-To: <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 22.01.2019 um 07:09 schrieb Jochen Neumeister <joneum@FreeBSD.org>: > On 21.01.19 21:23, Remko Lodder wrote: >> Hi Stefan, >>=20 >>> On 21 Jan 2019, at 21:18, Stefan Bethke <stb@lassitu.de> wrote: >>>=20 >>> I=E2=80=99ve just learned that the repository for the PHP PEAR set = of extensions had their distribution server compromised. >>>=20 >>> https://twitter.com/pear/status/1086634503731404800 >>>=20 >>> I don=E2=80=99t really work with PHP much apart from installing = packages of popular PHP web apps on my servers, so I can=E2=80=99t tell = whether this code made it onto machines building from PEAR sources, or = even into FreeBSD binary packages of PEAR extensions. Given the large = user base for these packages, some advice to FreeBSD users might be well = received. >> Thank you for sending the headsup to the FreeBSD users. >> I have CC=E2=80=99ed ports-secteam, they will handle with due care = when more information is available and they can act upon something. >> I have BCC=E2=80=99ed the maintainer for the PHP port(s), but I am = not entirely sure whether he maintains all the pear ports as well. >>=20 > I just took net/pear-Net_SMTP as an example and compared it with "make = makesum" SHA256 and SIZE. > The values are the same. So the packages are not compromised. > But today I will start testing all PEAR ports for different values. = This can unfortunately take time. > If a port has different values, it would be good to mark it as BROKEN = and if the project is on GitHub, to switch. I think the issue is not whether the FreeBSD packages have been = manipulated after they have been built, but have been built based on = compromised sources downloaded from pear.php.net. I haven=E2=80=99t = looked into the details of the port build processes with composer, but = it appears to me that packages built in the last 6 months would = (potentially) have downloaded sources from the compromised system. Stefan --=20 Stefan Bethke <stb@lassitu.de> Fon +49 151 14070811
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9F62C279-D5B3-443C-91F6-E0D4339A68D4>