I’m going to start investigating fixes tonight for HardenedBSD. It seems more than just portsnap and freebsd-update would be affected (anything that uses libarchive. hint: the ports extract target). So any FreeBSD box that handles tarballs obtained through (now untrusted) third parties.
On a slightly unrelated note but still worthy of a mention, downloading tarballs through HTTPS wouldn’t help, either. The problem’s not the transport layer, but the file itself. If the server hosting the content is compromised, it could serve up malicious tarballs.
I’m going to start investigating fixes tonight for HardenedBSD. It seems more than just portsnap and freebsd-update would be affected (anything that uses libarchive. hint: the ports extract target). So any FreeBSD box that handles tarballs obtained through (now untrusted) third parties.
On a slightly unrelated note but still worthy of a mention, downloading tarballs through HTTPS wouldn’t help, either. The problem’s not the transport layer, but the file itself. If the server hosting the content is compromised, it could serve up malicious tarballs.
I wonder if DragonFlyBSD is affected as well.
DragonFly doesn’t use portsnap (well, you probably can, but you’d have to add it yourself), so that immediate avenue is closed.
I don’t know if pkg checks the downloaded, unextracted file, but that would be safer, too.
If someone’s downloading a compromised file that also has the correct checksum, well… not much you can do about it on the client side at that point.