From jmr at macports.org  Sat Dec 28 16:00:58 2024
From: jmr at macports.org (Joshua Root)
Date: Sun, 29 Dec 2024 03:00:58 +1100
Subject: [MacPorts-announce] Security issue in MacPorts 2.10.4 and older
Message-ID: <0d812a1d-199c-4779-99c6-dc3fc186e2e9@macports.org>

MacPorts versions 2.10.4 and older contain a vulnerability that can 
allow a compromised rsync mirror to add Portfiles to the synced ports 
tree, thus allowing arbitrary code to be executed when those Portfiles 
are parsed. (Note that we currently have no reason to believe that any 
of our mirrors have been compromised.)

The fix [1] for this issue is included in versions 2.10.5 and later. We 
recommend that all users running an affected version upgrade as soon as 
possible.

Full details are available at [2]. Thanks to Simon Scannell of Google's 
Cloud Vulnerability Research team for discovering and analysing the issue.

Josh
(on behalf of the MacPorts Port Managers)

[1] 
<https://github.com/macports/macports-base/commit/906525fab1d57bb7b76729b83ef73b48b335656b>
[2] 
<https://github.com/google/security-research/security/advisories/GHSA-2j38-pjh8-wfxw>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.macports.org/pipermail/macports-announce/attachments/20241229/74833d71/attachment.sig>