Am 22.01.2019 um 07:09 schrieb Jochen Neumeister <[email protected]>: > On 21.01.19 21:23, Remko Lodder wrote: >> Hi Stefan, >> >>> On 21 Jan 2019, at 21:18, Stefan Bethke <[email protected]> wrote: >>> >>> I’ve just learned that the repository for the PHP PEAR set of extensions >>> had their distribution server compromised. >>> >>> https://twitter.com/pear/status/1086634503731404800 >>> >>> I don’t really work with PHP much apart from installing packages of popular >>> PHP web apps on my servers, so I can’t tell whether this code made it onto >>> machines building from PEAR sources, or even into FreeBSD binary packages >>> of PEAR extensions. Given the large user base for these packages, some >>> advice to FreeBSD users might be well received. >> Thank you for sending the headsup to the FreeBSD users. >> I have CC’ed ports-secteam, they will handle with due care when more >> information is available and they can act upon something. >> I have BCC’ed the maintainer for the PHP port(s), but I am not entirely sure >> whether he maintains all the pear ports as well. >> > I just took net/pear-Net_SMTP as an example and compared it with "make > makesum" SHA256 and SIZE. > The values are the same. So the packages are not compromised. > But today I will start testing all PEAR ports for different values. This can > unfortunately take time. > If a port has different values, it would be good to mark it as BROKEN and if > the project is on GitHub, to switch.
I think the issue is not whether the FreeBSD packages have been manipulated after they have been built, but have been built based on compromised sources downloaded from pear.php.net. I haven’t looked into the details of the port build processes with composer, but it appears to me that packages built in the last 6 months would (potentially) have downloaded sources from the compromised system. Stefan -- Stefan Bethke <[email protected]> Fon +49 151 14070811 _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
