From owner-freebsd-security@freebsd.org Tue Jan 22 16:03:16 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B87314A6711; Tue, 22 Jan 2019 16:03:16 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ADD7092233; Tue, 22 Jan 2019 16:03:15 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id EB25F20E15F; Tue, 22 Jan 2019 16:03:12 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code From: Stefan Bethke In-Reply-To: <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> Date: Tue, 22 Jan 2019 17:03:11 +0100 Cc: Remko Lodder , freebsd-security@freebsd.org, "ports-secteam@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> To: Jochen Neumeister X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: ADD7092233 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.963,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:03:16 -0000 Am 22.01.2019 um 07:09 schrieb Jochen Neumeister : > On 21.01.19 21:23, Remko Lodder wrote: >> Hi Stefan, >>=20 >>> On 21 Jan 2019, at 21:18, Stefan Bethke wrote: >>>=20 >>> I=E2=80=99ve just learned that the repository for the PHP PEAR set = of extensions had their distribution server compromised. >>>=20 >>> https://twitter.com/pear/status/1086634503731404800 >>>=20 >>> I don=E2=80=99t really work with PHP much apart from installing = packages of popular PHP web apps on my servers, so I can=E2=80=99t tell = whether this code made it onto machines building from PEAR sources, or = even into FreeBSD binary packages of PEAR extensions. Given the large = user base for these packages, some advice to FreeBSD users might be well = received. >> Thank you for sending the headsup to the FreeBSD users. >> I have CC=E2=80=99ed ports-secteam, they will handle with due care = when more information is available and they can act upon something. >> I have BCC=E2=80=99ed the maintainer for the PHP port(s), but I am = not entirely sure whether he maintains all the pear ports as well. >>=20 > I just took net/pear-Net_SMTP as an example and compared it with "make = makesum" SHA256 and SIZE. > The values are the same. So the packages are not compromised. > But today I will start testing all PEAR ports for different values. = This can unfortunately take time. > If a port has different values, it would be good to mark it as BROKEN = and if the project is on GitHub, to switch. I think the issue is not whether the FreeBSD packages have been = manipulated after they have been built, but have been built based on = compromised sources downloaded from pear.php.net. I haven=E2=80=99t = looked into the details of the port build processes with composer, but = it appears to me that packages built in the last 6 months would = (potentially) have downloaded sources from the compromised system. Stefan --=20 Stefan Bethke Fon +49 151 14070811