mirror of
https://git.freebsd.org/ports.git
synced 2025-06-09 06:40:33 -04:00
13a7d55681
This prevents an improbable MITM attack on dependencies where the target is "fetch" and the port is built manuallt. (Which means a port depends on a dependency being fetched, but not built or anything else.) In this case, as the target is only "fetch", the distribution files of the dependency are not checked against the dependency's distinfo file. One could, in theory, impersonate the dependency's master site and provide a malicious distribution file. The ports that could in theory be affected are russian/gd, ukrainian/gd, and ukrainian/webalizer. They are only affected when building manually, as when building with poudriere, the *-depends target do not have network access, and the build would fail if the distribution files are not already present. (From the dependencies being built normally, where checksum would have ran.) The detail is described here: https://www.reddit.com/r/BSD/comments/br62hm/freebsd_cryptographic_bypass_and_mitmbased/ Reported by: emaste (on IRC) Reviewed by: swills emaste antoine MFH: 2019Q3 Differential Revision: https://reviews.freebsd.org/D21230 |
||
|---|---|---|
| .. | ||
| actual-package-depends.sh | ||
| cargo-crates.awk | ||
| check-desktop-entries.sh | ||
| check-stagedir.sh | ||
| check-vulnerable.sh | ||
| check_leftovers.sh | ||
| checksum.sh | ||
| create-manifest.sh | ||
| depends-list.sh | ||
| desktop-categories.sh | ||
| dialog4ports.sh | ||
| do-depends.sh | ||
| do-fetch.sh | ||
| do-patch.sh | ||
| do-users-groups.sh | ||
| find-lib.sh | ||
| functions.sh | ||
| generate-symbols.sh | ||
| install-desktop-entries.sh | ||
| makesum.sh | ||
| plist_sub_sed_sort.sh | ||
| ports_env.sh | ||
| qa.sh | ||
| security-check.awk | ||
| smart_makepatch.sh | ||