Hi all, I just took net/pear-Net_SMTP as an example and compared it with "make makesum" SHA256 and SIZE. The values are the same. So the packages are not compromised. But today I will start testing all PEAR ports for different values. This can unfortunately take time. If a port has different values, it would be good to mark it as BROKEN and if the project is on GitHub, to switch. Greetings Jochen On 21.01.19 21:23, Remko Lodder wrote:> Hi Stefan, > >> On 21 Jan 2019, at 21:18, Stefan Bethke <stb at lassitu.de> wrote: >> >> I?ve just learned that the repository for the PHP PEAR set of extensions had their distribution server compromised. >> >> https://twitter.com/pear/status/1086634503731404800 >> >> I don?t really work with PHP much apart from installing packages of popular PHP web apps on my servers, so I can?t tell whether this code made it onto machines building from PEAR sources, or even into FreeBSD binary packages of PEAR extensions. Given the large user base for these packages, some advice to FreeBSD users might be well received. > Thank you for sending the headsup to the FreeBSD users. > I have CC?ed ports-secteam, they will handle with due care when more information is available and they can act upon something. > I have BCC?ed the maintainer for the PHP port(s), but I am not entirely sure whether he maintains all the pear ports as well. > > Again, thank you. > > Best regards, > Remko > Hat: Security Team > >> >> Thanks, >> Stefan >> >> -- >> Stefan Bethke <stb at lassitu.de> Fon +49 151 14070811 >> >> _______________________________________________ >> freebsd-security at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
Am 22.01.2019 um 07:09 schrieb Jochen Neumeister <joneum at FreeBSD.org>:> On 21.01.19 21:23, Remko Lodder wrote: >> Hi Stefan, >> >>> On 21 Jan 2019, at 21:18, Stefan Bethke <stb at lassitu.de> wrote: >>> >>> I?ve just learned that the repository for the PHP PEAR set of extensions had their distribution server compromised. >>> >>> https://twitter.com/pear/status/1086634503731404800 >>> >>> I don?t really work with PHP much apart from installing packages of popular PHP web apps on my servers, so I can?t tell whether this code made it onto machines building from PEAR sources, or even into FreeBSD binary packages of PEAR extensions. Given the large user base for these packages, some advice to FreeBSD users might be well received. >> Thank you for sending the headsup to the FreeBSD users. >> I have CC?ed ports-secteam, they will handle with due care when more information is available and they can act upon something. >> I have BCC?ed the maintainer for the PHP port(s), but I am not entirely sure whether he maintains all the pear ports as well. >> > I just took net/pear-Net_SMTP as an example and compared it with "make makesum" SHA256 and SIZE. > The values are the same. So the packages are not compromised. > But today I will start testing all PEAR ports for different values. This can unfortunately take time. > If a port has different values, it would be good to mark it as BROKEN and if the project is on GitHub, to switch.I think the issue is not whether the FreeBSD packages have been manipulated after they have been built, but have been built based on compromised sources downloaded from pear.php.net. I haven?t looked into the details of the port build processes with composer, but it appears to me that packages built in the last 6 months would (potentially) have downloaded sources from the compromised system. Stefan -- Stefan Bethke <stb at lassitu.de> Fon +49 151 14070811