PEAR packages potentially contain malicious code
Franco Fichtner
franco at lastsummer.de
Tue Jan 22 16:30:02 UTC 2019
Apologies, I mixed up this one and the other thread.
Cheers,
Franco
> On 22. Jan 2019, at 5:27 PM, Franco Fichtner <franco at lastsummer.de> wrote:
>
>
>> On 22. Jan 2019, at 5:15 PM, Stefan Bethke <stb at lassitu.de> wrote:
>>
>> On top of ports and packages depending on PEAR modules, some ports download archives containing vendored versions, for example, mail/roundcube. For roundcube, I opened https://github.com/roundcube/roundcubemail/issues/6598 to clarify.
>
> I fail to understand how mismatching package checksums for
> cached package files are indication of compromised distfiles
> which have pinned size and checksums in the FreeBSD ports
> tree since forever.
>
> If you say you build your own packages (and install them)
> a mismatch in pkg-cache files is normal because pkg will
> complain about a drift between the mirror-provided packages
> and your local ones when it detects them which happens when
> you have a package file created from different sources,
> the ports tree and the binary mirror.
>
> This will likely get rid of the mismatch by merely purging
> your local package cache...
>
> # pkg clean -ya
>
>
> Cheers,
> Franco
More information about the freebsd-security
mailing list