From owner-svn-src-all@freebsd.org  Wed Sep 28 21:22:52 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7EB14C019AD;
 Wed, 28 Sep 2016 21:22:52 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4E04511F1;
 Wed, 28 Sep 2016 21:22:52 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8SLMpJ2047703;
 Wed, 28 Sep 2016 21:22:51 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8SLMprw047702;
 Wed, 28 Sep 2016 21:22:51 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201609282122.u8SLMprw047702@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Wed, 28 Sep 2016 21:22:51 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r306417 - head/usr.sbin/portsnap/portsnap
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2016 21:22:52 -0000

Author: emaste
Date: Wed Sep 28 21:22:51 2016
New Revision: 306417
URL: https://svnweb.freebsd.org/changeset/base/306417

Log:
  portsnap: only move expected snapshot contents from snap/ to files/
  
  Previously it was possible to smuggle in addional files that would
  be used by later portsnap runs. Now we only move those files expected
  to be in the snapshot into files/ and require that there are no
  unexpected files.
  
  This was used by portsnap attacks 2, 3, and 4 in the "non-cryptanalytic
  attacks against FreeBSD update components" anonymous gist.
  
  Reported by:	anonymous gist
  Reviewed by:	allanjude, delphij
  MFC after:	ASAP
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D8052

Modified:
  head/usr.sbin/portsnap/portsnap/portsnap.sh

Modified: head/usr.sbin/portsnap/portsnap/portsnap.sh
==============================================================================
--- head/usr.sbin/portsnap/portsnap/portsnap.sh	Wed Sep 28 20:54:47 2016	(r306416)
+++ head/usr.sbin/portsnap/portsnap/portsnap.sh	Wed Sep 28 21:22:51 2016	(r306417)
@@ -691,6 +691,13 @@ fetch_snapshot() {
 	fetch_index_sanity || return 1
 # Verify the snapshot contents
 	cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1
+	cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected
+	find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap
+	if ! cmp -s files.expected files.snap; then
+		echo "unexpected files in snapshot."
+		return 1
+	fi
+	rm files.expected files.snap
 	echo "done."
 
 # Move files into their proper locations