Security issue in MacPorts 2.10.4 and older

Sat, 28 Dec 2024 08:01:53 -0800

MacPorts versions 2.10.4 and older contain a vulnerability that can allow a compromised rsync mirror to add Portfiles to the synced ports tree, thus allowing arbitrary code to be executed when those Portfiles are parsed. (Note that we currently have no reason to believe that any of our mirrors have been compromised.)
The fix [1] for this issue is included in versions 2.10.5 and later. We recommend that all users running an affected version upgrade as soon as possible. 


Full details are available at [2]. Thanks to Simon Scannell of Google's 
Cloud Vulnerability Research team for discovering and analysing the issue.


Josh
(on behalf of the MacPorts Port Managers)


[1] 
<https://github.com/macports/macports-base/commit/906525fab1d57bb7b76729b83ef73b48b335656b>
[2] 
<https://github.com/google/security-research/security/advisories/GHSA-2j38-pjh8-wfxw>


Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature














    











					Reply via email to