From nobody@FreeBSD.org  Thu Apr 10 16:20:13 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id E92921A8
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Apr 2014 16:20:13 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id D67B915B4
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Apr 2014 16:20:13 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s3AGKD3r088392
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Apr 2014 16:20:13 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s3AGKDhC088385;
	Thu, 10 Apr 2014 16:20:13 GMT
	(envelope-from nobody)
Message-Id: <201404101620.s3AGKDhC088385@cgiserv.freebsd.org>
Date: Thu, 10 Apr 2014 16:20:13 GMT
From: David Noel <david.i.noel@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: MITM attacks against portsnap mirrors (pmirror.sh)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         188432
>Category:       bin
>Synopsis:       portsnap(8): MITM attacks against portsnap mirrors (pmirror.sh)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    cperciva
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 10 16:30:01 UTC 2014
>Closed-Date:    
>Last-Modified:  Sun Apr 13 23:38:46 UTC 2014
>Originator:     David Noel
>Release:        9.2
>Organization:
>Environment:
>Description:
The portsnap mirroring script pmirror.sh lacks of any sort of mechanism to verify fetched data prior to processing and mirroring it. Without this, mirrors are open to compromise via decompression library exploitation. It also means an attacker could feed a mirror a corrupt archive, opening users of that mirror to compromise.
>How-To-Repeat:

>Fix:
Solution summary: The addition of hashes and hash verification code to pmirror.sh.

The lines of concern in pmirror.sh are 99-103, 121-125, 138-149, and 153-157.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->cperciva 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Apr 13 23:37:33 UTC 2014 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=188432 
>Unformatted:
