From owner-svn-src-releng@freebsd.org Wed Sep 28 22:04:08 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82C97C0152B; Wed, 28 Sep 2016 22:04:08 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F6CBA51; Wed, 28 Sep 2016 22:04:08 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8SM47rr062365; Wed, 28 Sep 2016 22:04:07 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8SM478Q062364; Wed, 28 Sep 2016 22:04:07 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201609282204.u8SM478Q062364@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Wed, 28 Sep 2016 22:04:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r306419 - releng/11.0/usr.sbin/portsnap/portsnap X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2016 22:04:08 -0000 Author: emaste Date: Wed Sep 28 22:04:07 2016 New Revision: 306419 URL: https://svnweb.freebsd.org/changeset/base/306419 Log: MFS r306418: portsnap: only move expected snapshot contents from snap/ to files/ Previously it was possible to smuggle in addional files that would be used by later portsnap runs. Now we only move those files expected to be in the snapshot into files/ and require that there are no unexpected files. This was used by portsnap attacks 2, 3, and 4 in the "non-cryptanalytic attacks against FreeBSD update components" anonymous gist. Approved by: re (gjb) Modified: releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh Directory Properties: releng/11.0/ (props changed) Modified: releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh ============================================================================== --- releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh Wed Sep 28 21:33:35 2016 (r306418) +++ releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh Wed Sep 28 22:04:07 2016 (r306419) @@ -691,6 +691,13 @@ fetch_snapshot() { fetch_index_sanity || return 1 # Verify the snapshot contents cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1 + cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected + find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap + if ! cmp -s files.expected files.snap; then + echo "unexpected files in snapshot." + return 1 + fi + rm files.expected files.snap echo "done." # Move files into their proper locations