Date: Tue, 22 Jan 2019 17:27:45 +0100 From: Franco Fichtner <franco@lastsummer.de> To: Stefan Bethke <stb@lassitu.de> Cc: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" <ports-secteam@FreeBSD.org> Subject: Re: PEAR packages potentially contain malicious code Message-ID: <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de> In-Reply-To: <ADCF732E-2606-454A-866C-C091F90B2E5E@lassitu.de> References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> <ADCF732E-2606-454A-866C-C091F90B2E5E@lassitu.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 22. Jan 2019, at 5:15 PM, Stefan Bethke <stb@lassitu.de> wrote: >=20 > On top of ports and packages depending on PEAR modules, some ports = download archives containing vendored versions, for example, = mail/roundcube. For roundcube, I opened = https://github.com/roundcube/roundcubemail/issues/6598 to clarify. I fail to understand how mismatching package checksums for cached package files are indication of compromised distfiles which have pinned size and checksums in the FreeBSD ports tree since forever. If you say you build your own packages (and install them) a mismatch in pkg-cache files is normal because pkg will complain about a drift between the mirror-provided packages and your local ones when it detects them which happens when you have a package file created from different sources, the ports tree and the binary mirror. This will likely get rid of the mismatch by merely purging your local package cache... # pkg clean -ya Cheers, Franco=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7E861664-7F7A-4461-969E-CA0570131706>