From owner-svn-ports-all@freebsd.org Tue Aug 13 10:31:59 2019 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1DAB0AA70A; Tue, 13 Aug 2019 10:31:59 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4678Cg02Ymz4fvH; Tue, 13 Aug 2019 10:31:59 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D6FD3DFDB; Tue, 13 Aug 2019 10:31:58 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7DAVwhq023773; Tue, 13 Aug 2019 10:31:58 GMT (envelope-from mat@FreeBSD.org) Received: (from mat@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7DAVwb0023772; Tue, 13 Aug 2019 10:31:58 GMT (envelope-from mat@FreeBSD.org) Message-Id: <201908131031.x7DAVwb0023772@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mat set sender to mat@FreeBSD.org using -f From: Mathieu Arnold Date: Tue, 13 Aug 2019 10:31:58 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r508820 - branches/2019Q3/Mk/Scripts X-SVN-Group: ports-branches X-SVN-Commit-Author: mat X-SVN-Commit-Paths: branches/2019Q3/Mk/Scripts X-SVN-Commit-Revision: 508820 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Aug 2019 10:31:59 -0000 Author: mat Date: Tue Aug 13 10:31:58 2019 New Revision: 508820 URL: https://svnweb.freebsd.org/changeset/ports/508820 Log: MFH: r508819 Force ports depending on a fetch target to actually run checksum. This prevents an improbable MITM attack on dependencies where the target is "fetch" and the port is built manuallt. (Which means a port depends on a dependency being fetched, but not built or anything else.) In this case, as the target is only "fetch", the distribution files of the dependency are not checked against the dependency's distinfo file. One could, in theory, impersonate the dependency's master site and provide a malicious distribution file. The ports that could in theory be affected are russian/gd, ukrainian/gd, and ukrainian/webalizer. They are only affected when building manually, as when building with poudriere, the *-depends target do not have network access, and the build would fail if the distribution files are not already present. (From the dependencies being built normally, where checksum would have ran.) The detail is described here: https://www.reddit.com/r/BSD/comments/br62hm/freebsd_cryptographic_bypass_and_mitmbased/ Reported by: emaste (on IRC) Reviewed by: swills emaste antoine Differential Revision: https://reviews.freebsd.org/D21230 Modified: branches/2019Q3/Mk/Scripts/do-depends.sh Directory Properties: branches/2019Q3/ (props changed) Modified: branches/2019Q3/Mk/Scripts/do-depends.sh ============================================================================== --- branches/2019Q3/Mk/Scripts/do-depends.sh Tue Aug 13 10:31:18 2019 (r508819) +++ branches/2019Q3/Mk/Scripts/do-depends.sh Tue Aug 13 10:31:58 2019 (r508820) @@ -138,7 +138,13 @@ for _line in ${dp_RAWDEPENDS} ; do depends_args="${dp_DEPENDS_ARGS}" target=${dp_DEPENDS_TARGET} if [ -n "${last}" ]; then - target=${last} + # In case we depend on the fetch stage, actually run checksum, + # this prevent a MITM attack. + if [ "${last}" = "fetch" ]; then + target=checksum + else + target=${last} + fi if [ -n "${dp_DEPENDS_PRECLEAN}" ]; then target="clean ${target}" depends_args="${depends_args:+${depends_args} }NOCLEANDEPENDS=yes"