Problem with devel/silc-toolkit

Paul Schmehl pauls at
Sun Jan 28 02:32:19 UTC 2007

--On January 27, 2007 8:44:41 PM -0500 Wesley Shields <wxs at> 

> On Sat, Jan 27, 2007 at 06:37:28PM -0600, Paul Schmehl wrote:
>> => MD5 Checksum mismatch for silc-toolkit-1.0.2.tar.bz2.
>> => SHA256 Checksum mismatch for silc-toolkit-1.0.2.tar.bz2.
> These are usually because of a re-rolled distfile.  If a PR has not been
> submitted already I would verify the contents of the new distfile and
> send-pr an update to take care of it.
> Of course, there's always the chance that the distfile was missed in the
> commit but that does not appear to be the case here.
Looks like it's more serious than that:

===>  Extracting for silc-toolkit-1.0.2
=> MD5 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
=> SHA256 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
===>   silc-toolkit-1.0.2 depends on file: /usr/local/bin/perl5.8.8 - found

bzip2: Data integrity error when decompressing.
        Input file = /usr/ports/distfiles//silc-toolkit-1.0.2.tar.bz2, 
output file = (stdout)

It is possible that the compressed file(s) have become corrupted.
You can use the -tvv option to test integrity of such files.

You can use the `bzip2recover' program to attempt to recover
data from undamaged sections of corrupted files.

silc-toolkit-1.0.2/lib/ (Empty error message)
tar: (Empty error message)
*** Error code 1

Stop in /usr/ports/devel/silc-toolkit.
root at utd59514# bzip2
bzip2         bzip2recover
root at utd59514# bzip2 -tvv
bzip2: I won't read compressed data from a terminal.
bzip2: For help, type: `bzip2 --help'.
root at utd59514# bzip2 -tvv /usr/ports/distfiles/silc-toolkit-
silc-toolkit-0.9.12.tar.bz2  silc-toolkit-1.0.2.tar.bz2
root at utd59514# bzip2 -tvv /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
    [1: huff+mtf rt+rld]
    [2: huff+mtf data integrity (CRC) error in data

bzip2recover /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
bzip2recover 1.0.3: extracts blocks from damaged .bz2 files.
bzip2recover: searching for block boundaries ...
   block 1 runs from 80 to 0
   block 2 runs from 957242 to 0 (incomplete)
bzip2recover: splitting into blocks
   writing block 1 to 
`/usr/ports/distfiles/rec00001silc-toolkit-1.0.2.tar.bz2' ...
bzip2recover: finished

According to md5:
md5 /usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2
MD5 (/usr/ports/distfiles/silc-toolkit-1.0.2.tar.bz2) = 

According to their website:
869ce01349444a28fbace3c1bfe745ff  silc-toolkit-1.0.2.tar.bz2

Looks like the bzipped tarball on their website has been altered - 
possibly compromised.  I'm cc'ing the port maintainer, but I was unable to 
find a security address at SILC to notify them.  I'm ccing their abuse and 
postmaster addresses.

I would recommend that the port be marked BROKEN until this is resolved.

Paul Schmehl (pauls at
Senior Information Security Analyst
The University of Texas at Dallas

More information about the freebsd-ports mailing list