Date: Tue, 13 Aug 2019 10:31:18 +0000 (UTC) From: Mathieu Arnold <mat@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r508819 - head/Mk/Scripts Message-ID: <201908131031.x7DAVIE4023610@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mat Date: Tue Aug 13 10:31:18 2019 New Revision: 508819 URL: https://svnweb.freebsd.org/changeset/ports/508819 Log: Force ports depending on a fetch target to actually run checksum. This prevents an improbable MITM attack on dependencies where the target is "fetch" and the port is built manuallt. (Which means a port depends on a dependency being fetched, but not built or anything else.) In this case, as the target is only "fetch", the distribution files of the dependency are not checked against the dependency's distinfo file. One could, in theory, impersonate the dependency's master site and provide a malicious distribution file. The ports that could in theory be affected are russian/gd, ukrainian/gd, and ukrainian/webalizer. They are only affected when building manually, as when building with poudriere, the *-depends target do not have network access, and the build would fail if the distribution files are not already present. (From the dependencies being built normally, where checksum would have ran.) The detail is described here: https://www.reddit.com/r/BSD/comments/br62hm/freebsd_cryptographic_bypass_and_mitmbased/ Reported by: emaste (on IRC) Reviewed by: swills emaste antoine MFH: 2019Q3 Differential Revision: https://reviews.freebsd.org/D21230 Modified: head/Mk/Scripts/do-depends.sh (contents, props changed) Modified: head/Mk/Scripts/do-depends.sh ============================================================================== --- head/Mk/Scripts/do-depends.sh Tue Aug 13 09:25:26 2019 (r508818) +++ head/Mk/Scripts/do-depends.sh Tue Aug 13 10:31:18 2019 (r508819) @@ -138,7 +138,13 @@ for _line in ${dp_RAWDEPENDS} ; do depends_args="${dp_DEPENDS_ARGS}" target=${dp_DEPENDS_TARGET} if [ -n "${last}" ]; then - target=${last} + # In case we depend on the fetch stage, actually run checksum, + # this prevent a MITM attack. + if [ "${last}" = "fetch" ]; then + target=checksum + else + target=${last} + fi if [ -n "${dp_DEPENDS_PRECLEAN}" ]; then target="clean ${target}" depends_args="${depends_args:+${depends_args} }NOCLEANDEPENDS=yes"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908131031.x7DAVIE4023610>