From owner-freebsd-bugs@FreeBSD.ORG Thu Apr 10 16:30:01 2014 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DF2AE33E for ; Thu, 10 Apr 2014 16:30:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A205D16AB for ; Thu, 10 Apr 2014 16:30:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3AGU1d4042182 for ; Thu, 10 Apr 2014 16:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3AGU1Or042181; Thu, 10 Apr 2014 16:30:01 GMT (envelope-from gnats) Resent-Date: Thu, 10 Apr 2014 16:30:01 GMT Resent-Message-Id: <201404101630.s3AGU1Or042181@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, David Noel Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E92921A8 for ; Thu, 10 Apr 2014 16:20:13 +0000 (UTC) Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D67B915B4 for ; Thu, 10 Apr 2014 16:20:13 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s3AGKD3r088392 for ; Thu, 10 Apr 2014 16:20:13 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s3AGKDhC088385; Thu, 10 Apr 2014 16:20:13 GMT (envelope-from nobody) Message-Id: <201404101620.s3AGKDhC088385@cgiserv.freebsd.org> Date: Thu, 10 Apr 2014 16:20:13 GMT From: David Noel To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/188432: MITM attacks against portsnap mirrors (pmirror.sh) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 16:30:01 -0000 >Number: 188432 >Category: kern >Synopsis: MITM attacks against portsnap mirrors (pmirror.sh) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 10 16:30:01 UTC 2014 >Closed-Date: >Last-Modified: >Originator: David Noel >Release: 9.2 >Organization: >Environment: >Description: The portsnap mirroring script pmirror.sh lacks of any sort of mechanism to verify fetched data prior to processing and mirroring it. Without this, mirrors are open to compromise via decompression library exploitation. It also means an attacker could feed a mirror a corrupt archive, opening users of that mirror to compromise. >How-To-Repeat: >Fix: Solution summary: The addition of hashes and hash verification code to pmirror.sh. The lines of concern in pmirror.sh are 99-103, 121-125, 138-149, and 153-157. >Release-Note: >Audit-Trail: >Unformatted: