[MacPorts] #51886: nmap @7.12 Minor portfile fixes

Thu Jul 21 10:25:39 PDT 2016

#51886: nmap @7.12 Minor portfile fixes
--------------------------+------------------------------
  Reporter:  gavin@…      |      Owner:  opendarwin.org@…
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:
 Component:  ports        |    Version:
Resolution:               |   Keywords:  haspatch
      Port:  nmap         |
--------------------------+------------------------------

Comment (by gavin@…):

 Replying to [comment:4 dluke@…]:
 > Replying to [comment:3 gavin@…]:
 > > Not sure what you mean regarding upstream releases but i'll take your
 word for it.
 >
 > If upstream provides an md5 or sha1 hash, it's useful to be able to have
 the same hash in the portfile.
 >
 Got it.
 > > I was just imagining a scenario where malicious code could be
 introduced into the source taking advantage of the known hash collisions
 but still making the checksum valid.  I realise there's a number of very
 specific conditions which would also need to be setup to make the scenario
 actually exploitable but I just figured for a security related tool like
 this, if possible, it would be better than not to deprecate these HMACs.
 >
 > Macports validates the distfile against all of the hashes in the
 portfile. For that attack to work, you'd have to generate a malicious file
 that collides with each hash listed (having a weak hash like md5 or sha1
 doesn't stop Macports from using the sha256 checksum).
 Ah there be my incorrect assumption.  I thought checksumming was an 'OR'.
 Thanks for clarifying.

-- 
Ticket URL: <https://trac.macports.org/ticket/51886#comment:5>
MacPorts <https://www.macports.org/>
Ports system for OS X