PEAR packages potentially contain malicious code
Franco Fichtner
franco at lastsummer.de
Tue Jan 22 16:27:56 UTC 2019
> On 22. Jan 2019, at 5:15 PM, Stefan Bethke <stb at lassitu.de> wrote:
>
> On top of ports and packages depending on PEAR modules, some ports download archives containing vendored versions, for example, mail/roundcube. For roundcube, I opened https://github.com/roundcube/roundcubemail/issues/6598 to clarify.
I fail to understand how mismatching package checksums for
cached package files are indication of compromised distfiles
which have pinned size and checksums in the FreeBSD ports
tree since forever.
If you say you build your own packages (and install them)
a mismatch in pkg-cache files is normal because pkg will
complain about a drift between the mirror-provided packages
and your local ones when it detects them which happens when
you have a package file created from different sources,
the ports tree and the binary mirror.
This will likely get rid of the mismatch by merely purging
your local package cache...
# pkg clean -ya
Cheers,
Franco
More information about the freebsd-security
mailing list