Problem with devel/silc-toolkit

Paul Schmehl pauls at utdallas.edu
Sun Jan 28 02:32:19 UTC 2007


--On January 27, 2007 8:44:41 PM -0500 Wesley Shields <wxs at atarininja.org> 
wrote:

> On Sat, Jan 27, 2007 at 06:37:28PM -0600, Paul Schmehl wrote:
>> => MD5 Checksum mismatch for silc-toolkit-1.0.2.tar.bz2.
>> => SHA256 Checksum mismatch for silc-toolkit-1.0.2.tar.bz2.
>
> These are usually because of a re-rolled distfile.  If a PR has not been
> submitted already I would verify the contents of the new distfile and
> send-pr an update to take care of it.
>
> Of course, there's always the chance that the distfile was missed in the
> commit but that does not appear to be the case here.
>
Looks like it's more serious than that:

===>  Extracting for silc-toolkit-1.0.2
=> MD5 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
=> SHA256 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
===>   silc-toolkit-1.0.2 depends on file: /usr/local/bin/perl5.8.8 - found

bzip2: Data integrity error when decompressing.
        Input file = /usr/ports/distfiles//silc-toolkit-1.0.2.tar.bz2, 
output file = (stdout)

It is possible that the compressed file(s) have become corrupted.
You can use the -tvv option to test integrity of such files.

You can use the `bzip2recover' program to attempt to recover
data from undamaged sections of corrupted files.

silc-toolkit-1.0.2/lib/Makefile.in: (Empty error message)
tar: (Empty error message)
*** Error code 1

Stop in /usr/ports/devel/silc-toolkit.
root at utd59514# bzip2
bzip2         bzip2recover
root at utd59514# bzip2 -tvv
bzip2: I won't read compressed data from a terminal.
bzip2: For help, type: `bzip2 --help'.
root at utd59514# bzip2 -tvv /usr/ports/distfiles/silc-toolkit-
silc-toolkit-0.9.12.tar.bz2  silc-toolkit-1.0.2.tar.bz2
root at utd59514# bzip2 -tvv /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
  /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2:
    [1: huff+mtf rt+rld]
    [2: huff+mtf data integrity (CRC) error in data

bzip2recover /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
bzip2recover 1.0.3: extracts blocks from damaged .bz2 files.
bzip2recover: searching for block boundaries ...
   block 1 runs from 80 to 0
   block 2 runs from 957242 to 0 (incomplete)
bzip2recover: splitting into blocks
   writing block 1 to 
`/usr/ports/distfiles/rec00001silc-toolkit-1.0.2.tar.bz2' ...
bzip2recover: finished

According to md5:
md5 /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
MD5 (/usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2) = 
c1feaf91c9f789a6414f328502cbba22

According to their website:
869ce01349444a28fbace3c1bfe745ff  silc-toolkit-1.0.2.tar.bz2

Looks like the bzipped tarball on their website has been altered - 
possibly compromised.  I'm cc'ing the port maintainer, but I was unable to 
find a security address at SILC to notify them.  I'm ccing their abuse and 
postmaster addresses.

I would recommend that the port be marked BROKEN until this is resolved.

Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


More information about the freebsd-ports mailing list