Security issue in MacPorts 2.10.4 and older
Joshua Root
jmr at macports.org
Sat Dec 28 16:00:58 UTC 2024
MacPorts versions 2.10.4 and older contain a vulnerability that can
allow a compromised rsync mirror to add Portfiles to the synced ports
tree, thus allowing arbitrary code to be executed when those Portfiles
are parsed. (Note that we currently have no reason to believe that any
of our mirrors have been compromised.)
The fix [1] for this issue is included in versions 2.10.5 and later. We
recommend that all users running an affected version upgrade as soon as
possible.
Full details are available at [2]. Thanks to Simon Scannell of Google's
Cloud Vulnerability Research team for discovering and analysing the issue.
Josh
(on behalf of the MacPorts Port Managers)
[1]
<https://github.com/macports/macports-base/commit/906525fab1d57bb7b76729b83ef73b48b335656b>
[2]
<https://github.com/google/security-research/security/advisories/GHSA-2j38-pjh8-wfxw>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20241229/74833d71/attachment.sig>
More information about the macports-users
mailing list