188428 – MITM attacks against portsnap(8)

Bug 188428 - MITM attacks against portsnap(8)

Summary: MITM attacks against portsnap(8)

Status:	Closed Overcome By Events

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Colin Percival

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-10 17:20 UTC by David
Modified:	2025-01-21 16:28 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David 2014-04-10 17:20:00 UTC

Portsnap extracts fetched data prior to its SHA256 verification. The extraction libraries used have a long history of bugs so its reasonable to assume there might be more. Portsnap runs as root. Using a vulnerability in the decompression libraries an attacker who was MITM-capable could compromise any FreeBSD system running portsnap.

Fix: 

Solution summary: a re-working of the snapshot hashing and hash verification process.

The functions of concern in portsnap.sh are fetch_snapshot(), fetch_update(), and fetch_snapshot_verify().

Comment 1 Mark Linimon freebsd_committer

2014-04-14 00:37:33 UTC

Responsible Changed
From-To: freebsd-bugs->cperciva

Over to maintainer.

Comment 2 Eitan Adler freebsd_committer

2018-05-28 19:50:29 UTC

batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.

Comment 3 Mark Linimon freebsd_committer

2025-01-21 16:28:37 UTC

^Triage: portsnap was disconnected from the build 20230420.