Opened 8 years ago
Closed 14 months ago
#51886 closed enhancement (fixed)
nmap @7.12 Minor portfile fixes
| Reported by: | iamGavinJ (GΛVĪN) | Owned by: | opendarwin.org@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | haspatch | Cc: | danielluke (Daniel J. Luke), chrstphrchvz (Christopher Chavez) |
| Port: | nmap |
Description
- Livecheck was picking up BETA versions so I implemented the livecheck.regex
- Switched ${homepage} to the HTTPS version
- Corrected ${master_sites) by removing two old URLs and added one new one
- Removed insecure MD5 and SHA1 checksums
- Added "--with-libpcap=DIR" to configure.args;
- This may not be necessary but there is some ambiguity whether make was linking from CFLAGS & LDFLAGS. It appears without this switch it may build against its own version included in the distfile which would make the existing dependency irrelevant.
Attachments (1)
Change History (9)
comment:1 Changed 8 years ago by mf2k (Frank Schima)
| Cc: | opendarwin.org@… removed |
|---|---|
| Owner: | changed from macports-tickets@… to opendarwin.org@… |
| Version: | 2.3.4 |
comment:2 follow-up: 3 Changed 8 years ago by danielluke (Daniel J. Luke)
comment:3 follow-up: 4 Changed 8 years ago by iamGavinJ (GΛVĪN)
Replying to dluke@…:
I'll try to take a look at this soon, some notes inline.
Replying to gavin@…:
- Livecheck was picking up BETA versions so I implemented the livecheck.regex
- Switched ${homepage} to the HTTPS version
- Corrected ${master_sites) by removing two old URLs and added one new one
- Removed insecure MD5 and SHA1 checksums
There is no downside to having those checksums in the portfile (as port will check against any/all listed checksums). I need to double-check and see if upstream releases checksums for their releases (as that's usually the reason why we'd keep md5 or sha1 around).
Not sure what you mean regarding upstream releases but i'll take your word for it. I was just imagining a scenario where malicious code could be introduced into the source taking advantage of the known hash collisions but still making the checksum valid. I realise there's a number of very specific conditions which would also need to be setup to make the scenario actually exploitable but I just figured for a security related tool like this, if possible, it would be better than not to deprecate these HMACs.
- Added "--with-libpcap=DIR" to configure.args;
- This may not be necessary but there is some ambiguity whether make was linking from CFLAGS & LDFLAGS. It appears without this switch it may build against its own version included in the distfile which would make the existing dependency irrelevant.
otool output says it links with the one in $prefix on my system - did you actually notice a problem somewhere?
No issues, I just noticed the --with-libpcap=included vs. --with-libpcap=DIR and thought it wouldn't hurt to be explicit in case the default behaviour changed in the future. Was just trying to be thorough. :)
comment:4 follow-up: 5 Changed 8 years ago by danielluke (Daniel J. Luke)
Replying to gavin@…:
Not sure what you mean regarding upstream releases but i'll take your word for it.
If upstream provides an md5 or sha1 hash, it's useful to be able to have the same hash in the portfile.
I was just imagining a scenario where malicious code could be introduced into the source taking advantage of the known hash collisions but still making the checksum valid. I realise there's a number of very specific conditions which would also need to be setup to make the scenario actually exploitable but I just figured for a security related tool like this, if possible, it would be better than not to deprecate these HMACs.
Macports validates the distfile against all of the hashes in the portfile. For that attack to work, you'd have to generate a malicious file that collides with each hash listed (having a weak hash like md5 or sha1 doesn't stop Macports from using the sha256 checksum).
comment:5 Changed 8 years ago by iamGavinJ (GΛVĪN)
Replying to dluke@…:
Replying to gavin@…:
Not sure what you mean regarding upstream releases but i'll take your word for it.
If upstream provides an md5 or sha1 hash, it's useful to be able to have the same hash in the portfile.
Got it.
I was just imagining a scenario where malicious code could be introduced into the source taking advantage of the known hash collisions but still making the checksum valid. I realise there's a number of very specific conditions which would also need to be setup to make the scenario actually exploitable but I just figured for a security related tool like this, if possible, it would be better than not to deprecate these HMACs.
Macports validates the distfile against all of the hashes in the portfile. For that attack to work, you'd have to generate a malicious file that collides with each hash listed (having a weak hash like md5 or sha1 doesn't stop Macports from using the sha256 checksum).
Ah there be my incorrect assumption. I thought checksumming was an 'OR'. Thanks for clarifying.
Changed 8 years ago by iamGavinJ (GΛVĪN)
| Attachment: | Portfile.diff added |
|---|
comment:6 Changed 5 years ago by chrstphrchvz (Christopher Chavez)
| Cc: | chrstphrchvz added |
|---|
comment:7 Changed 5 years ago by chrstphrchvz (Christopher Chavez)
comment:8 Changed 14 months ago by danielluke (Daniel J. Luke)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I'll try to take a look at this soon, some notes inline.
Replying to gavin@…:
There is no downside to having those checksums in the portfile (as port will check against any/all listed checksums). I need to double-check and see if upstream releases checksums for their releases (as that's usually the reason why we'd keep md5 or sha1 around).
otool output says it links with the one in $prefix on my system - did you actually notice a problem somewhere?