Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Aug 2019 10:31:58 +0000 (UTC)
From:      Mathieu Arnold <mat@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r508820 - branches/2019Q3/Mk/Scripts
Message-ID:  <201908131031.x7DAVwb0023772@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: mat
Date: Tue Aug 13 10:31:58 2019
New Revision: 508820
URL: https://svnweb.freebsd.org/changeset/ports/508820

Log:
  MFH: r508819
  
  Force ports depending on a fetch target to actually run checksum.
  
  This prevents an improbable MITM attack on dependencies where the target
  is "fetch" and the port is built manuallt.  (Which means a port depends
  on a dependency being fetched, but not built or anything else.)  In this
  case, as the target is only "fetch", the distribution files of the
  dependency are not checked against the dependency's distinfo file.  One
  could, in theory, impersonate the dependency's master site and provide a
  malicious distribution file.
  
  The ports that could in theory be affected are russian/gd, ukrainian/gd,
  and ukrainian/webalizer.  They are only affected when building manually,
  as when building with poudriere, the *-depends target do not have
  network access, and the build would fail if the distribution files are
  not already present.  (From the dependencies being built normally, where
  checksum would have ran.)
  
  The detail is described here:
  https://www.reddit.com/r/BSD/comments/br62hm/freebsd_cryptographic_bypass_and_mitmbased/
  
  Reported by:	emaste (on IRC)
  Reviewed by:	swills emaste antoine
  Differential Revision:	https://reviews.freebsd.org/D21230

Modified:
  branches/2019Q3/Mk/Scripts/do-depends.sh
Directory Properties:
  branches/2019Q3/   (props changed)

Modified: branches/2019Q3/Mk/Scripts/do-depends.sh
==============================================================================
--- branches/2019Q3/Mk/Scripts/do-depends.sh	Tue Aug 13 10:31:18 2019	(r508819)
+++ branches/2019Q3/Mk/Scripts/do-depends.sh	Tue Aug 13 10:31:58 2019	(r508820)
@@ -138,7 +138,13 @@ for _line in ${dp_RAWDEPENDS} ; do
 	depends_args="${dp_DEPENDS_ARGS}"
 	target=${dp_DEPENDS_TARGET}
 	if [ -n "${last}" ]; then
-		target=${last}
+		# In case we depend on the fetch stage, actually run checksum,
+		# this prevent a MITM attack.
+		if [ "${last}" = "fetch" ]; then
+			target=checksum
+		else
+			target=${last}
+		fi
 		if [ -n "${dp_DEPENDS_PRECLEAN}" ]; then
 			target="clean ${target}"
 			depends_args="${depends_args:+${depends_args} }NOCLEANDEPENDS=yes"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908131031.x7DAVwb0023772>