diff options
author | emaste <emaste@FreeBSD.org> | 2016-09-28 22:04:07 +0000 |
---|---|---|
committer | emaste <emaste@FreeBSD.org> | 2016-09-28 22:04:07 +0000 |
commit | cd023724a7d1e4dcddd21af0e1223dac3421f2c9 (patch) | |
tree | e7f4d84698365e0ea7b1803fb9871a32bac31597 | |
parent | 735a55562c34a0e087989df45f0cdd5285f477b6 (diff) | |
download | FreeBSD-src-cd023724a7d1e4dcddd21af0e1223dac3421f2c9.zip FreeBSD-src-cd023724a7d1e4dcddd21af0e1223dac3421f2c9.tar.gz |
MFS r306418: portsnap: only move expected snapshot contents from snap/ to files/
Previously it was possible to smuggle in addional files that would
be used by later portsnap runs. Now we only move those files expected
to be in the snapshot into files/ and require that there are no
unexpected files.
This was used by portsnap attacks 2, 3, and 4 in the "non-cryptanalytic
attacks against FreeBSD update components" anonymous gist.
Approved by: re (gjb)
-rw-r--r-- | usr.sbin/portsnap/portsnap/portsnap.sh | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/usr.sbin/portsnap/portsnap/portsnap.sh b/usr.sbin/portsnap/portsnap/portsnap.sh index 3dcf618..501c530 100644 --- a/usr.sbin/portsnap/portsnap/portsnap.sh +++ b/usr.sbin/portsnap/portsnap/portsnap.sh @@ -691,6 +691,13 @@ fetch_snapshot() { fetch_index_sanity || return 1 # Verify the snapshot contents cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1 + cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected + find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap + if ! cmp -s files.expected files.snap; then + echo "unexpected files in snapshot." + return 1 + fi + rm files.expected files.snap echo "done." # Move files into their proper locations |