From owner-freebsd-security@freebsd.org Tue Jan 22 16:15:12 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0788B14A6CF6; Tue, 22 Jan 2019 16:15:12 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [212.12.50.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E5C59282B; Tue, 22 Jan 2019 16:15:11 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id EEFB620E201; Tue, 22 Jan 2019 16:15:03 +0000 (UTC) From: Stefan Bethke Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code Date: Tue, 22 Jan 2019 17:15:03 +0100 References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> To: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" In-Reply-To: <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> Message-Id: X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: 9E5C59282B X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.97)[-0.967,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:15:12 -0000 Am 22.01.2019 um 17:03 schrieb Stefan Bethke : >=20 > Am 22.01.2019 um 07:09 schrieb Jochen Neumeister : >> On 21.01.19 21:23, Remko Lodder wrote: >>> Hi Stefan, >>>=20 >>>> On 21 Jan 2019, at 21:18, Stefan Bethke wrote: >>>>=20 >>>> I=E2=80=99ve just learned that the repository for the PHP PEAR set = of extensions had their distribution server compromised. >>>>=20 >>>> https://twitter.com/pear/status/1086634503731404800 >>>>=20 >>>> I don=E2=80=99t really work with PHP much apart from installing = packages of popular PHP web apps on my servers, so I can=E2=80=99t tell = whether this code made it onto machines building from PEAR sources, or = even into FreeBSD binary packages of PEAR extensions. Given the large = user base for these packages, some advice to FreeBSD users might be well = received. >>> Thank you for sending the headsup to the FreeBSD users. >>> I have CC=E2=80=99ed ports-secteam, they will handle with due care = when more information is available and they can act upon something. >>> I have BCC=E2=80=99ed the maintainer for the PHP port(s), but I am = not entirely sure whether he maintains all the pear ports as well. >>>=20 >> I just took net/pear-Net_SMTP as an example and compared it with = "make makesum" SHA256 and SIZE. >> The values are the same. So the packages are not compromised. >> But today I will start testing all PEAR ports for different values. = This can unfortunately take time. >> If a port has different values, it would be good to mark it as BROKEN = and if the project is on GitHub, to switch. >=20 > I think the issue is not whether the FreeBSD packages have been = manipulated after they have been built, but have been built based on = compromised sources downloaded from pear.php.net. I haven=E2=80=99t = looked into the details of the port build processes with composer, but = it appears to me that packages built in the last 6 months would = (potentially) have downloaded sources from the compromised system. On top of ports and packages depending on PEAR modules, some ports = download archives containing vendored versions, for example, = mail/roundcube. For roundcube, I opened = https://github.com/roundcube/roundcubemail/issues/6598 to clarify. Stefan --=20 Stefan Bethke Fon +49 151 14070811