Bernd Ernesti <netbsd%lists.veego.de@localhost> writes:
>> Module Name: pkgsrc
>> Committed By: ryoon
>> Date: Sat Mar 15 00:16:03 UTC 2014
>>
>> Modified Files:
>> pkgsrc/graphics/dcraw: Makefile distinfo
>>
>> Log Message:
>> Set DIST_SUBDIR
>> dcraw-9.20.tar.gz in distinfo, on ftp.NetBSD.org, and on MASTER_SITES are
>> different.
> Did you check the difference what changed on the master site?
>
> If not we need to first analyze if there is no issue with the new version
> on the master site. There were in the past code changes in some other
> packages where malicious code was added.
> what do others think about this problem?
>
> Without checking the binary this can be a security issue.
I agree that this is a problem. But, it's difficult because it's well
known that upstream distributions do not behave properly; many of them
are not packagers and don't understand that it is never ok to replace a
named file with new contents. In the case of dcraw, one can't even get
old tarballs from the upstream site.
I downloaded the tarball (which matches the checked-in distinfo) and
also the 9.19 tarball (again it matched the old distinfo). I diffed
them, and while I didn't really study the diff, nothing jumped out at
me.
Further, the 9.20 dcraw.c matches the tip of dcraw.c,v.
So I'm not particularly worried about this case.
However, I don't understand how DIST_SUBDIR=${PKGNAME_NOREV} is helpful,
other than that it used to be empty and now it's not, so the two values
are different.
Also, I think that we should be doing diffs from old to new when this
sort of things happens to make sure we aren't unwittingly aiding an attack.
I went to look at the distfile on ftp.netbsd.org:pub/pkgsrc/distfiles.
There was a dcraw-9.20.tar.gz that was only 2048 bytes long, and it
matched the first 2048 bytes of the new distfile. So this sounds
relatively innocuous. (I have removed the corrupt distfile from
ftp.netbsd.org.)
Attachment:
pgprcJLjioiS6.pgp
Description: PGP signature