Force ports depending on a fetch target to actually run checksum.

This prevents an improbable MITM attack on dependencies where the target
is "fetch" and the port is built manuallt.  (Which means a port depends
on a dependency being fetched, but not built or anything else.)  In this
case, as the target is only "fetch", the distribution files of the
dependency are not checked against the dependency's distinfo file.  One
could, in theory, impersonate the dependency's master site and provide a
malicious distribution file.

The ports that could in theory be affected are russian/gd, ukrainian/gd,
and ukrainian/webalizer.  They are only affected when building manually,
as when building with poudriere, the *-depends target do not have
network access, and the build would fail if the distribution files are
not already present.  (From the dependencies being built normally, where
checksum would have ran.)

The detail is described here:
https://www.reddit.com/r/BSD/comments/br62hm/freebsd_cryptographic_bypass_and_mitmbased/

Reported by:	emaste (on IRC)
Reviewed by:	swills emaste antoine
MFH:		2019Q3
Differential Revision:	https://reviews.freebsd.org/D21230

1 files changed, 7 insertions, 1 deletions

diff --git a/Mk/Scripts/do-depends.sh b/Mk/Scripts/do-depends.sh
index 5469bff33337..163570052a54 100644
--- a/Mk/Scripts/do-depends.sh
+++ b/Mk/Scripts/do-depends.sh
@@ -138,7 +138,13 @@ for _line in ${dp_RAWDEPENDS} ; do
 	depends_args="${dp_DEPENDS_ARGS}"
 	target=${dp_DEPENDS_TARGET}
 	if [ -n "${last}" ]; then
-		target=${last}
+		# In case we depend on the fetch stage, actually run checksum,
+		# this prevent a MITM attack.
+		if [ "${last}" = "fetch" ]; then
+			target=checksum
+		else
+			target=${last}
+		fi
 		if [ -n "${dp_DEPENDS_PRECLEAN}" ]; then
 			target="clean ${target}"
 			depends_args="${depends_args:+${depends_args} }NOCLEANDEPENDS=yes"