Date: Wed, 19 Aug 2015 18:33:26 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r286936 - stable/9/usr.sbin/pkg Message-ID: <201508191833.t7JIXQqi079717@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Aug 19 18:33:25 2015 New Revision: 286936 URL: https://svnweb.freebsd.org/changeset/base/286936 Log: Instant-MFC r286933: Issue warning and refuse to proceed further if the configured repository signature_type is unsupported by bootstrap pkg(7). Previously, when signature_type specified an unsupported method, the bootstrap pkg(7) would proceed like when signature_type is "none". MITM attackers may be able to use this vulnerability and bypass validation and install their own versions of pkg(8). At this time, only fingerprint and none are supported by the bootstrap pkg(7). FreeBSD's official pkg(8) repository uses the fingerprint method and is therefore unaffected. Errata candidate. Modified: stable/9/usr.sbin/pkg/pkg.c Directory Properties: stable/9/usr.sbin/pkg/ (props changed) Modified: stable/9/usr.sbin/pkg/pkg.c ============================================================================== --- stable/9/usr.sbin/pkg/pkg.c Wed Aug 19 18:32:36 2015 (r286935) +++ stable/9/usr.sbin/pkg/pkg.c Wed Aug 19 18:33:25 2015 (r286936) @@ -750,7 +750,13 @@ bootstrap_pkg(bool force) goto fetchfail; if (signature_type != NULL && - strcasecmp(signature_type, "FINGERPRINTS") == 0) { + strcasecmp(signature_type, "NONE") != 0) { + if (strcasecmp(signature_type, "FINGERPRINTS") != 0) { + warnx("Signature type %s is not supported for " + "bootstrapping.", signature_type); + goto cleanup; + } + snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX", getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP); snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig", @@ -835,7 +841,13 @@ bootstrap_pkg_local(const char *pkgpath, return (-1); } if (signature_type != NULL && - strcasecmp(signature_type, "FINGERPRINTS") == 0) { + strcasecmp(signature_type, "NONE") != 0) { + if (strcasecmp(signature_type, "FINGERPRINTS") != 0) { + warnx("Signature type %s is not supported for " + "bootstrapping.", signature_type); + goto cleanup; + } + snprintf(path, sizeof(path), "%s.sig", pkgpath); if ((fd_sig = open(path, O_RDONLY)) == -1) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508191833.t7JIXQqi079717>