Am 22.01.2019 um 17:03 schrieb Stefan Bethke <[email protected]>: > > Am 22.01.2019 um 07:09 schrieb Jochen Neumeister <[email protected]>: >> On 21.01.19 21:23, Remko Lodder wrote: >>> Hi Stefan, >>> >>>> On 21 Jan 2019, at 21:18, Stefan Bethke <[email protected]> wrote: >>>> >>>> I’ve just learned that the repository for the PHP PEAR set of extensions >>>> had their distribution server compromised. >>>> >>>> https://twitter.com/pear/status/1086634503731404800 >>>> >>>> I don’t really work with PHP much apart from installing packages of >>>> popular PHP web apps on my servers, so I can’t tell whether this code made >>>> it onto machines building from PEAR sources, or even into FreeBSD binary >>>> packages of PEAR extensions. Given the large user base for these packages, >>>> some advice to FreeBSD users might be well received. >>> Thank you for sending the headsup to the FreeBSD users. >>> I have CC’ed ports-secteam, they will handle with due care when more >>> information is available and they can act upon something. >>> I have BCC’ed the maintainer for the PHP port(s), but I am not entirely >>> sure whether he maintains all the pear ports as well. >>> >> I just took net/pear-Net_SMTP as an example and compared it with "make >> makesum" SHA256 and SIZE. >> The values are the same. So the packages are not compromised. >> But today I will start testing all PEAR ports for different values. This can >> unfortunately take time. >> If a port has different values, it would be good to mark it as BROKEN and if >> the project is on GitHub, to switch. > > I think the issue is not whether the FreeBSD packages have been manipulated > after they have been built, but have been built based on compromised sources > downloaded from pear.php.net. I haven’t looked into the details of the port > build processes with composer, but it appears to me that packages built in > the last 6 months would (potentially) have downloaded sources from the > compromised system.
On top of ports and packages depending on PEAR modules, some ports download archives containing vendored versions, for example, mail/roundcube. For roundcube, I opened https://github.com/roundcube/roundcubemail/issues/6598 to clarify. Stefan -- Stefan Bethke <[email protected]> Fon +49 151 14070811 _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
