svn commit: r305650 - stable/9/usr.sbin/portsnap/portsnap

Fri, 09 Sep 2016 00:01:31 -0700 

Author: delphij
Date: Fri Sep  9 07:00:50 2016
New Revision: 305650
URL: https://svnweb.freebsd.org/changeset/base/305650

Log:
  MFC r305469:
  
  Ensure that we always open only files that is named by explicitly
  using shell redirections instead of having gzip(1) to decide what
  file to open.
  
  Issue reported in the "non-cryptanalytic attacks against freebsd
  update components" anonymous gist.
  
  Reviewed by:  allanjude, emaste

Modified:
  stable/9/usr.sbin/portsnap/portsnap/portsnap.sh
Directory Properties:
  stable/9/usr.sbin/portsnap/   (props changed)
  stable/9/usr.sbin/portsnap/portsnap/   (props changed)

Modified: stable/9/usr.sbin/portsnap/portsnap/portsnap.sh
==============================================================================
--- stable/9/usr.sbin/portsnap/portsnap/portsnap.sh     Fri Sep  9 06:59:49 
2016        (r305649)
+++ stable/9/usr.sbin/portsnap/portsnap/portsnap.sh     Fri Sep  9 07:00:50 
2016        (r305650)
@@ -609,7 +609,7 @@ fetch_index_sanity() {
 # Verify a list of files
 fetch_snapshot_verify() {
        while read F; do
-               if [ "`gunzip -c snap/${F} | ${SHA256} -q`" != ${F} ]; then
+               if [ "`gunzip -c < snap/${F}.gz | ${SHA256} -q`" != ${F} ]; then
                        echo "snapshot corrupt."
                        return 1
                fi
@@ -644,7 +644,7 @@ fetch_snapshot() {
        cut -f 2 -d '|' tINDEX.new | fetch_snapshot_verify || return 1
 # Extract the index
        rm -f INDEX.new
-       gunzip -c snap/`look INDEX tINDEX.new |
+       gunzip -c < snap/`look INDEX tINDEX.new |
            cut -f 2 -d '|'`.gz > INDEX.new
        fetch_index_sanity || return 1
 # Verify the snapshot contents
@@ -737,7 +737,7 @@ fetch_update() {
        echo "done."
 
 # Extract the index
-       gunzip -c files/`look INDEX tINDEX.new |
+       gunzip -c < files/`look INDEX tINDEX.new |
            cut -f 2 -d '|'`.gz > INDEX.new
        fetch_index_sanity || return 1
 
@@ -842,7 +842,7 @@ extract_make_index() {
                echo -n "$1 not provided by portsnap server; "
                echo "$2 not being generated."
        else
-       gunzip -c "${WORKDIR}/files/`look $1 ${WORKDIR}/tINDEX |
+       gunzip -c < "${WORKDIR}/files/`look $1 ${WORKDIR}/tINDEX |
            cut -f 2 -d '|'`.gz" |
            cat - ${LOCALDESC} |
            ${MKINDEX} /dev/stdin > ${PORTSDIR}/$2
_______________________________________________
svn-src-stable-9@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-9
To unsubscribe, send any mail to "svn-src-stable-9-unsubscr...@freebsd.org"

Reply via email to