Issue warning and refuse to proceed further if the configured

repository signature_type is unsupported by bootstrap pkg(7). Previously, when signature_type specified an unsupported method, the bootstrap pkg(7) would proceed like when signature_type is "none". MITM attackers may be able to use this vulnerability and bypass validation and install their own versions of pkg(8). At this time, only fingerprint and none are supported by the bootstrap pkg(7). FreeBSD's official pkg(8) repository uses the fingerprint method and is therefore unaffected. Errata candidate. Discussed with: bapt@ Submitted by: Fabian Keil Obtained from: ElectroBSD
2015-08-19 18:24:39 +00:00 · 2015-08-19 18:24:39 +00:00 · 48f9270689
commit 48f9270689
parent 5f5df47af8
1 changed files with 14 additions and 2 deletions
--- a/usr.sbin/pkg/pkg.c
+++ b/usr.sbin/pkg/pkg.c
@ -767,7 +767,13 @@ bootstrap_pkg(bool force)
 		goto fetchfail;

 	if (signature_type != NULL &&
-	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+	    strcasecmp(signature_type, "NONE") != 0) {
+		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
+			goto cleanup;
+		}
+
 		snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
 		    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
 		snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
@ -855,7 +861,13 @@ bootstrap_pkg_local(const char *pkgpath, bool force)
 		goto cleanup;
 	}
 	if (signature_type != NULL &&
-	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+	    strcasecmp(signature_type, "NONE") != 0) {
+		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
+			goto cleanup;
+		}
+
 		snprintf(path, sizeof(path), "%s.sig", pkgpath);

 		if ((fd_sig = open(path, O_RDONLY)) == -1) {