philj at openmailbox.org
2014-Jun-22 12:31 UTC
Ports tree insecure because of IGNOREFILES+IGNORE
The IGNOREFILES+IGNORE mechanism allows port maintainers to disable
checksum
checks. I feel that this mechanism is a stain on an otherwise fantastic
ports
system. It reduces user confidence in security and makes us all sitting
ducks
for sophisticated adversaries.
Possible changes:
(i) removing the IGNOREFILES+IGNORE mechanism entirely if practical.
(ii) centralizing the mechanism with a vetting process involving a
(highly
paranoid) security officer.
(iii) requiring users to add a switch to /etc/make.conf or otherwise to
OK
installation of ports with checksum-disabled components. Awareness and
choice
breed confidence.
==================================CATEGORY 1: PROBLEMATIC EXECUTABLES
==================================
biology/platon
-----------------------------------------------------------------------------
# This port only has snapshot archive
IGNOREFILES= platon.tar.gz
SHA256 (platon.tar.gz) = IGNORE
-----------------------------------------------------------------------------
Notes: executable.
games/xroach
-----------------------------------------------------------------------------
IGNOREFILES= ${DISTFILES}
SHA256 (xroach.tar.gz) = IGNORE
-----------------------------------------------------------------------------
Notes: executable.
net/bindtest
-----------------------------------------------------------------------------
IGNOREFILES= ${DISTNAME}${EXTRACT_SUFX}
SHA256 (bindtest.tgz) = IGNORE
-----------------------------------------------------------------------------
Notes: executable.
print/lgrind
-----------------------------------------------------------------------------
IGNOREFILES= ${PORTNAME}.tar.gz
SHA256 (lgrind/lgrind.tar.gz) = IGNORE
-----------------------------------------------------------------------------
Notes: executable. It doesn't checksum the distfile, but it *does*
checksum
the distfile's contents. This offers less resistance for a maliciously
corrupted tarball. Checksumming the distfile itself guards access to the
archiver programs and libraries, among other things. Another problem
with this
checksum-the-contents approach is that there appears to be no protection
against extraneous contents, which could be a problem if wildcards are
used
somewhere in the build/install process.
www/lifetype
-----------------------------------------------------------------------------
IGNOREFILES= ${CONTRIBE_VERSION}__all_plugins.zip \
${CONTRIBE_VERSION}__all_templates.zip
SHA256 (1.2__all_plugins.zip) = IGNORE
SHA256 (1.2__all_templates.zip) = IGNORE
-----------------------------------------------------------------------------
Notes: executable (PHP files, etc.).
======================================CATEGORY 2: PROBLEMATIC NON-EXECUTABLES
======================================
These include documentation files and program data files. Malicious
corruption
would target any code on the system that processes the files (see
japanese/edict below for an example of how a program can be targeted
during
the build process). A lot of the time, the risk is no doubt negligible,
to the
point where it's more of a risk to use the ports system itself, with
fetch(1)
and other helper programs as potential targets.
devel/root-doc
-----------------------------------------------------------------------------
IGNOREFILES= ${DISTFILES}
SHA256 (html502.tar.gz) = IGNORE
-----------------------------------------------------------------------------
Notes: intended to be documentation only, but effectively an opaque
tarball
crafted in an unknown manner and containing unknown contents that gets a
free
ride beyond the checksum point.
games/ftjava
-----------------------------------------------------------------------------
IGNOREFILES= FTJava_Documentation.html faq.html FTJava_Linux.html
SHA256 (ftjava/FTJava_Documentation.html) = IGNORE
SHA256 (ftjava/faq.html) = IGNORE
SHA256 (ftjava/FTJava_Linux.html) = IGNORE
-----------------------------------------------------------------------------
Notes: documentation.
japanese/edict
-----------------------------------------------------------------------------
#
# These change too often and are not made into executables.
#
IGNOREFILES= ${DICTFILES} ${DOCFILES}
SHA256 (edict/edict.gz) = IGNORE
SHA256 (edict/edicth) = IGNORE
SHA256 (edict/enamdict.gz) = IGNORE
SHA256 (edict/compdic.gz) = IGNORE
SHA256 (edict/j_places.gz) = IGNORE
SHA256 (edict/ediclsd3.zip) = IGNORE
SHA256 (edict/kanjidic.gz) = IGNORE
SHA256 (edict/kanjd212.gz) = IGNORE
SHA256 (edict/lawgledt.zip) = IGNORE
SHA256 (edict/lingdic.zip) = IGNORE
SHA256 (edict/geodic.gz) = IGNORE
SHA256 (edict/pandpdic.zip) = IGNORE
SHA256 (edict/aviation.zip) = IGNORE
SHA256 (edict/findic.zip) = IGNORE
SHA256 (edict/mktdic.zip) = IGNORE
SHA256 (edict/4jword3_edict.zip) = IGNORE
SHA256 (edict/concrete.zip) = IGNORE
SHA256 (edict/edict_doc.html) = IGNORE
SHA256 (edict/edicth.doc) = IGNORE
SHA256 (edict/enamdict_doc.txt) = IGNORE
SHA256 (edict/enamdict_doc.html) = IGNORE
SHA256 (edict/j_places.inf) = IGNORE
SHA256 (edict/kanjidic.doc) = IGNORE
SHA256 (edict/kanjd212.doc) = IGNORE
SHA256 (edict/ediclsd3.rme) = IGNORE
SHA256 (edict/lawgldoc.new) = IGNORE
SHA256 (edict/lingdic.txt) = IGNORE
SHA256 (edict/geodic.doc) = IGNORE
SHA256 (edict/aviation.txt) = IGNORE
SHA256 (edict/findic.doc) = IGNORE
SHA256 (edict/mktdic.doc) = IGNORE
SHA256 (edict/4jword3_inf.txt) = IGNORE
SHA256 (edict/concrete.doc) = IGNORE
-----------------------------------------------------------------------------
Notes: program data files that get a free ride beyond the checksum
point,
including having the port Makefile run the dictionaries through xjdxgen,
a
EUC-JP index generator last updated in 1998 that can easily be forced to
overflow malloc'd memory with sizeof(long) bytes of data because of an
off-by-
one index calculation:
jindex = (unsigned long *)malloc(indlen);
// ...
if (indptr > indlen/sizeof(long))) {
printf("Index table overflow. Dictionary too large?\n");
exit(1);
}
Here we write sizeof(long) bytes past a 12-byte buffer:
157 indlen = (diclen * 3*(sizeof(long)/4))/4;
(gdb)
158 jindex = (unsigned long *)malloc(indlen);
(gdb)
159 if(jindex == NULL)
(gdb) p indlen
$1 = 12
(gdb) x/16b jindex
0x28210030: 0 0 0 0 0 0 0
0
0x28210038: 0 0 0 0 0 0 0
0
(gdb) b 255 if indptr == 3
Breakpoint 3 at 0x8048fa7: file xjdxgen.c, line 255.
(gdb) c
Continuing.
255 jindex[indptr] = schi;
(gdb) p indptr
$2 = 3
(gdb) x/16b jindex
0x28210030: 0 0 0 0 1 0 0
0
0x28210038: 4 0 0 0 0 0 0
0
(gdb) n
256 cstrp = 1;
(gdb) x/16b jindex
0x28210030: 0 0 0 0 1 0 0
0
0x28210038: 4 0 0 0 7 0 0
0
(gdb)
There are potentially more severe problems that would require
significantly
more time to examine. This port is relatively inconsequential. The above
is
purely to illustrate a wider point.
mail/spambnc
-----------------------------------------------------------------------------
IGNOREFILES= quickstart.shtml
IGNOREFILES+= upgrading.shtml
SHA256 (spambnc-20060416/quickstart.shtml) = IGNORE
SHA256 (spambnc-20060416/upgrading.shtml) = IGNORE
-----------------------------------------------------------------------------
Notes: documentation.
math/libflame
-----------------------------------------------------------------------------
IGNOREFILES= libflame.pdf
SHA256 (libflame.pdf) = IGNORE
-----------------------------------------------------------------------------
Notes: documentation.
net-mgmt/kismet
-----------------------------------------------------------------------------
IGNOREFILES= manuf
SHA256 (kismet/manuf) = IGNORE
-----------------------------------------------------------------------------
Notes: documentation.
net/ntopng
-----------------------------------------------------------------------------
IGNOREFILES= GeoLiteCity.dat.gz GeoLiteCityv6.dat.gz \
GeoIPASNum.dat.gz GeoIPASNumv6.dat.gz
SHA256 (GeoLiteCity.dat.gz) = IGNORE
SHA256 (GeoLiteCityv6.dat.gz) = IGNORE
SHA256 (GeoIPASNum.dat.gz) = IGNORE
SHA256 (GeoIPASNumv6.dat.gz) = IGNORE
-----------------------------------------------------------------------------
Notes: program data files with uninvestigated impact.
sysutils/apcupsd
-----------------------------------------------------------------------------
IGNOREFILES= ${PORTNAME}.pdf
SHA256 (apcupsd.pdf) = IGNORE
-----------------------------------------------------------------------------
Notes: documentation.
www/dillo2
-----------------------------------------------------------------------------
IGNOREFILES+= hyph-${_l}.pat.txt
SHA256 (dillo/hyph-af.pat.txt) = IGNORE
SHA256 (dillo/hyph-as.pat.txt) = IGNORE
SHA256 (dillo/hyph-bg.pat.txt) = IGNORE
SHA256 (dillo/hyph-bn.pat.txt) = IGNORE
SHA256 (dillo/hyph-ca.pat.txt) = IGNORE
SHA256 (dillo/hyph-cop.pat.txt) = IGNORE
SHA256 (dillo/hyph-cs.pat.txt) = IGNORE
SHA256 (dillo/hyph-cy.pat.txt) = IGNORE
SHA256 (dillo/hyph-da.pat.txt) = IGNORE
SHA256 (dillo/hyph-de-1901.pat.txt) = IGNORE
SHA256 (dillo/hyph-de-1996.pat.txt) = IGNORE
SHA256 (dillo/hyph-de-ch-1901.pat.txt) = IGNORE
SHA256 (dillo/hyph-el-monoton.pat.txt) = IGNORE
SHA256 (dillo/hyph-el-polyton.pat.txt) = IGNORE
SHA256 (dillo/hyph-en-gb.pat.txt) = IGNORE
SHA256 (dillo/hyph-en-us.pat.txt) = IGNORE
SHA256 (dillo/hyph-eo.pat.txt) = IGNORE
SHA256 (dillo/hyph-es.pat.txt) = IGNORE
SHA256 (dillo/hyph-et.pat.txt) = IGNORE
SHA256 (dillo/hyph-eu.pat.txt) = IGNORE
SHA256 (dillo/hyph-fi.pat.txt) = IGNORE
SHA256 (dillo/hyph-fr.pat.txt) = IGNORE
SHA256 (dillo/hyph-fur.pat.txt) = IGNORE
SHA256 (dillo/hyph-ga.pat.txt) = IGNORE
SHA256 (dillo/hyph-gl.pat.txt) = IGNORE
SHA256 (dillo/hyph-grc.pat.txt) = IGNORE
SHA256 (dillo/hyph-gu.pat.txt) = IGNORE
SHA256 (dillo/hyph-hi.pat.txt) = IGNORE
SHA256 (dillo/hyph-hr.pat.txt) = IGNORE
SHA256 (dillo/hyph-hsb.pat.txt) = IGNORE
SHA256 (dillo/hyph-hu.pat.txt) = IGNORE
SHA256 (dillo/hyph-hy.pat.txt) = IGNORE
SHA256 (dillo/hyph-ia.pat.txt) = IGNORE
SHA256 (dillo/hyph-id.pat.txt) = IGNORE
SHA256 (dillo/hyph-is.pat.txt) = IGNORE
SHA256 (dillo/hyph-it.pat.txt) = IGNORE
SHA256 (dillo/hyph-kmr.pat.txt) = IGNORE
SHA256 (dillo/hyph-kn.pat.txt) = IGNORE
SHA256 (dillo/hyph-la.pat.txt) = IGNORE
SHA256 (dillo/hyph-lt.pat.txt) = IGNORE
SHA256 (dillo/hyph-lv.pat.txt) = IGNORE
SHA256 (dillo/hyph-ml.pat.txt) = IGNORE
SHA256 (dillo/hyph-mn-cyrl.pat.txt) = IGNORE
SHA256 (dillo/hyph-mr.pat.txt) = IGNORE
SHA256 (dillo/hyph-mul-ethi.pat.txt) = IGNORE
SHA256 (dillo/hyph-nb.pat.txt) = IGNORE
SHA256 (dillo/hyph-nl.pat.txt) = IGNORE
SHA256 (dillo/hyph-nn.pat.txt) = IGNORE
SHA256 (dillo/hyph-or.pat.txt) = IGNORE
SHA256 (dillo/hyph-pa.pat.txt) = IGNORE
SHA256 (dillo/hyph-pl.pat.txt) = IGNORE
SHA256 (dillo/hyph-pms.pat.txt) = IGNORE
SHA256 (dillo/hyph-pt.pat.txt) = IGNORE
SHA256 (dillo/hyph-rm.pat.txt) = IGNORE
SHA256 (dillo/hyph-ro.pat.txt) = IGNORE
SHA256 (dillo/hyph-ru.pat.txt) = IGNORE
SHA256 (dillo/hyph-sa.pat.txt) = IGNORE
SHA256 (dillo/hyph-sh-cyrl.pat.txt) = IGNORE
SHA256 (dillo/hyph-sh-latn.pat.txt) = IGNORE
SHA256 (dillo/hyph-sk.pat.txt) = IGNORE
SHA256 (dillo/hyph-sl.pat.txt) = IGNORE
SHA256 (dillo/hyph-sr-cyrl.pat.txt) = IGNORE
SHA256 (dillo/hyph-sv.pat.txt) = IGNORE
SHA256 (dillo/hyph-ta.pat.txt) = IGNORE
SHA256 (dillo/hyph-te.pat.txt) = IGNORE
SHA256 (dillo/hyph-tk.pat.txt) = IGNORE
SHA256 (dillo/hyph-tr.pat.txt) = IGNORE
SHA256 (dillo/hyph-uk.pat.txt) = IGNORE
SHA256 (dillo/hyph-zh-latn-pinyin.pat.txt) = IGNORE
-----------------------------------------------------------------------------
Notes: program data files with uninvestigated impact.
www/thttpd
-----------------------------------------------------------------------------
IGNOREFILES= notes.html
SHA256 (thttpd/notes.html) = IGNORE
-----------------------------------------------------------------------------
Notes: documentation.
========================CATEGORY 3: OK... FOR NOW
========================
"OK" here means the user is at least making a conscious decision.
biology/blast
-----------------------------------------------------------------------------
# Distfiles change rapidly, but since they can only be downloaded from
# the author, this is not a problem.
IGNOREFILES= ${DISTFILES}
SHA256 (blast2.freebsd-6.x-i686.tar.Z) = IGNORE
SHA256 (blast2.freebsd-6.x-x64.tar.Z) = IGNORE
-----------------------------------------------------------------------------
Notes: executable code, but port asks user to download distfile
manually.
chinese/msttf
-----------------------------------------------------------------------------
IGNOREFILES= ${MSTTF_SIMHEI} ${MSTTF_SIMSUN} ${MSTTF_TAHOMA}
SHA256 (msttf/simhei.ttf) = IGNORE
SHA256 (msttf/simsun.ttc) = IGNORE
SHA256 (msttf/tahoma.ttf) = IGNORE
-----------------------------------------------------------------------------
Notes: port asks user to grab three font files from Windows computer.
multimedia/pvr250
-----------------------------------------------------------------------------
IGNOREFILES= hcwPVRP2.sys # Varies from month to month
SHA256 (hcwPVRP2.sys) = IGNORE
-----------------------------------------------------------------------------
Notes: binary driver, but port asks user to grab it from the product CD.
multimedia/pvrxxx
-----------------------------------------------------------------------------
IGNOREFILES= hcwPVRP2.sys # Varies from month to month
SHA256 (hcwPVRP2.sys) = IGNORE
-----------------------------------------------------------------------------
Notes: binary driver, but port asks user to grab it from the product CD.
On Sunday, June 22, 2014 22:31:50 philj at openmailbox.org wrote:> The IGNOREFILES+IGNORE mechanism allows port maintainers to > disable checksum checks. I feel that this mechanism is a stain > on an otherwise fantastic ports system. It reduces user > confidence in security and makes us all sitting ducks for > sophisticated adversaries.Er. There's nothing stopping a port maintainer from saying "Sorry, the distfiles aren't fetchable from the master sites any more, I can host a copy" and then host a malicious distfile. Or doing any number of simpler things to cause a problem. The Project doesn't have the resources to audit every single distfile's code. If you're that paranoid, you're welcome to do so yourself. -- Chris Nehren -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140622/b50bd13a/attachment.sig>