[Bug 291343] Ports can use fetched files that are not fingerprinted

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291343

            Bug ID: 291343
           Summary: Ports can use fetched files that are not fingerprinted
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Ports Framework
          Assignee: portmgr@FreeBSD.org
          Reporter: yuri@freebsd.org
                CC: ports-bugs@FreeBSD.org

Created attachment 265766
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=265766&action=edit
testcase-fetched-file-no-fingerprint.tgz

The attached sample port downloads and installs a file that isn't in DISTFILES
and doesn't have a record in distinfo.

In this example it downloads https://google.com/index.html and installs it as
${DATADIR}/possibly-malicious.html, but it can be any file.

The files fetched in the fetch target but not listed in DISTFILES can be
installed like this.

I am not saying that there are malicious ports, but the ports framework
enforces cryptographic fingerprints on all used distfiles, and this example
uses a loophole and some files might not be fingerprinted.

The following solution can solve the above problem: Poudriere should use a
dedicated DISTDIR for each package build process.
(1) Before the fetch: Poudriere would copy all declared DISTFILES (if they
exist) from the common build directory into this dedicated directory.
(2) After the fetch: Poudriere would check that there are no files in the
dedicated directory that aren't declared in the DISTFILES file.
(3) After the build: Poudriere would copy them back from the dedicated
directory into a common directory.

-- 
You are receiving this mail because:
You are on the CC list for the bug.