From owner-svn-ports-head@freebsd.org Tue Aug 13 10:31:19 2019 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2D255AA45E; Tue, 13 Aug 2019 10:31:19 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4678Bv0Jtyz4fh1; Tue, 13 Aug 2019 10:31:19 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E212FDF96; Tue, 13 Aug 2019 10:31:18 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7DAVI6c023611; Tue, 13 Aug 2019 10:31:18 GMT (envelope-from mat@FreeBSD.org) Received: (from mat@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7DAVIE4023610; Tue, 13 Aug 2019 10:31:18 GMT (envelope-from mat@FreeBSD.org) Message-Id: <201908131031.x7DAVIE4023610@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mat set sender to mat@FreeBSD.org using -f From: Mathieu Arnold Date: Tue, 13 Aug 2019 10:31:18 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r508819 - head/Mk/Scripts X-SVN-Group: ports-head X-SVN-Commit-Author: mat X-SVN-Commit-Paths: head/Mk/Scripts X-SVN-Commit-Revision: 508819 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Aug 2019 10:31:19 -0000 Author: mat Date: Tue Aug 13 10:31:18 2019 New Revision: 508819 URL: https://svnweb.freebsd.org/changeset/ports/508819 Log: Force ports depending on a fetch target to actually run checksum. This prevents an improbable MITM attack on dependencies where the target is "fetch" and the port is built manuallt. (Which means a port depends on a dependency being fetched, but not built or anything else.) In this case, as the target is only "fetch", the distribution files of the dependency are not checked against the dependency's distinfo file. One could, in theory, impersonate the dependency's master site and provide a malicious distribution file. The ports that could in theory be affected are russian/gd, ukrainian/gd, and ukrainian/webalizer. They are only affected when building manually, as when building with poudriere, the *-depends target do not have network access, and the build would fail if the distribution files are not already present. (From the dependencies being built normally, where checksum would have ran.) The detail is described here: https://www.reddit.com/r/BSD/comments/br62hm/freebsd_cryptographic_bypass_and_mitmbased/ Reported by: emaste (on IRC) Reviewed by: swills emaste antoine MFH: 2019Q3 Differential Revision: https://reviews.freebsd.org/D21230 Modified: head/Mk/Scripts/do-depends.sh (contents, props changed) Modified: head/Mk/Scripts/do-depends.sh ============================================================================== --- head/Mk/Scripts/do-depends.sh Tue Aug 13 09:25:26 2019 (r508818) +++ head/Mk/Scripts/do-depends.sh Tue Aug 13 10:31:18 2019 (r508819) @@ -138,7 +138,13 @@ for _line in ${dp_RAWDEPENDS} ; do depends_args="${dp_DEPENDS_ARGS}" target=${dp_DEPENDS_TARGET} if [ -n "${last}" ]; then - target=${last} + # In case we depend on the fetch stage, actually run checksum, + # this prevent a MITM attack. + if [ "${last}" = "fetch" ]; then + target=checksum + else + target=${last} + fi if [ -n "${dp_DEPENDS_PRECLEAN}" ]; then target="clean ${target}" depends_args="${depends_args:+${depends_args} }NOCLEANDEPENDS=yes"