From owner-freebsd-security@freebsd.org Tue Jan 22 16:30:02 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8234914A75A3; Tue, 22 Jan 2019 16:30:02 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1EF029330C; Tue, 22 Jan 2019 16:30:01 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [IPv6:2a02:8106:22a:4b02:acd3:9b54:2636:22b] (unknown [IPv6:2a02:8106:22a:4b02:acd3:9b54:2636:22b]) by host64.shmhost.net (Postfix) with ESMTPSA id 43kYmR72jbzC5VS; Tue, 22 Jan 2019 17:29:59 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code From: Franco Fichtner In-Reply-To: <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de> Date: Tue, 22 Jan 2019 17:29:59 +0100 Cc: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de> To: Stefan Bethke X-Mailer: Apple Mail (2.3445.102.3) X-Virus-Scanned: clamav-milter 0.100.2 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 1EF029330C X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:30:02 -0000 Apologies, I mixed up this one and the other thread. Cheers, Franco > On 22. Jan 2019, at 5:27 PM, Franco Fichtner = wrote: >=20 >=20 >> On 22. Jan 2019, at 5:15 PM, Stefan Bethke wrote: >>=20 >> On top of ports and packages depending on PEAR modules, some ports = download archives containing vendored versions, for example, = mail/roundcube. For roundcube, I opened = https://github.com/roundcube/roundcubemail/issues/6598 to clarify. >=20 > I fail to understand how mismatching package checksums for > cached package files are indication of compromised distfiles > which have pinned size and checksums in the FreeBSD ports > tree since forever. >=20 > If you say you build your own packages (and install them) > a mismatch in pkg-cache files is normal because pkg will > complain about a drift between the mirror-provided packages > and your local ones when it detects them which happens when > you have a package file created from different sources, > the ports tree and the binary mirror. >=20 > This will likely get rid of the mismatch by merely purging > your local package cache... >=20 > # pkg clean -ya >=20 >=20 > Cheers, > Franco