Problem with devel/silc-toolkit
Paul Schmehl
pauls at utdallas.edu
Sun Jan 28 02:32:19 UTC 2007
--On January 27, 2007 8:44:41 PM -0500 Wesley Shields <wxs at atarininja.org>
wrote:
> On Sat, Jan 27, 2007 at 06:37:28PM -0600, Paul Schmehl wrote:
>> => MD5 Checksum mismatch for silc-toolkit-1.0.2.tar.bz2.
>> => SHA256 Checksum mismatch for silc-toolkit-1.0.2.tar.bz2.
>
> These are usually because of a re-rolled distfile. If a PR has not been
> submitted already I would verify the contents of the new distfile and
> send-pr an update to take care of it.
>
> Of course, there's always the chance that the distfile was missed in the
> commit but that does not appear to be the case here.
>
Looks like it's more serious than that:
===> Extracting for silc-toolkit-1.0.2
=> MD5 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
=> SHA256 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
===> silc-toolkit-1.0.2 depends on file: /usr/local/bin/perl5.8.8 - found
bzip2: Data integrity error when decompressing.
Input file = /usr/ports/distfiles//silc-toolkit-1.0.2.tar.bz2,
output file = (stdout)
It is possible that the compressed file(s) have become corrupted.
You can use the -tvv option to test integrity of such files.
You can use the `bzip2recover' program to attempt to recover
data from undamaged sections of corrupted files.
silc-toolkit-1.0.2/lib/Makefile.in: (Empty error message)
tar: (Empty error message)
*** Error code 1
Stop in /usr/ports/devel/silc-toolkit.
root at utd59514# bzip2
bzip2 bzip2recover
root at utd59514# bzip2 -tvv
bzip2: I won't read compressed data from a terminal.
bzip2: For help, type: `bzip2 --help'.
root at utd59514# bzip2 -tvv /usr/ports/distfiles/silc-toolkit-
silc-toolkit-0.9.12.tar.bz2 silc-toolkit-1.0.2.tar.bz2
root at utd59514# bzip2 -tvv /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
/usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2:
[1: huff+mtf rt+rld]
[2: huff+mtf data integrity (CRC) error in data
bzip2recover /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
bzip2recover 1.0.3: extracts blocks from damaged .bz2 files.
bzip2recover: searching for block boundaries ...
block 1 runs from 80 to 0
block 2 runs from 957242 to 0 (incomplete)
bzip2recover: splitting into blocks
writing block 1 to
`/usr/ports/distfiles/rec00001silc-toolkit-1.0.2.tar.bz2' ...
bzip2recover: finished
According to md5:
md5 /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
MD5 (/usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2) =
c1feaf91c9f789a6414f328502cbba22
According to their website:
869ce01349444a28fbace3c1bfe745ff silc-toolkit-1.0.2.tar.bz2
Looks like the bzipped tarball on their website has been altered -
possibly compromised. I'm cc'ing the port maintainer, but I was unable to
find a security address at SILC to notify them. I'm ccing their abuse and
postmaster addresses.
I would recommend that the port be marked BROKEN until this is resolved.
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-ports
mailing list