From owner-freebsd-announce@freebsd.org Wed Aug 10 11:58:23 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B797BB5269 for ; Wed, 10 Aug 2016 11:58:23 +0000 (UTC) (envelope-from matthew@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0404A1542 for ; Wed, 10 Aug 2016 11:58:22 +0000 (UTC) (envelope-from matthew@infracaninophile.co.uk) Received: from lucid-nonsense.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.infracaninophile.co.uk (Postfix) with ESMTPS id B8A96CFA1 for ; Wed, 10 Aug 2016 11:58:18 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org Authentication-Results: smtp.infracaninophile.co.uk/B8A96CFA1; dkim=none; dkim-atps=neutral Received: from lucid-nonsense.infracaninophile.co.uk (localhost [127.0.0.1]) by lucid-nonsense.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPS id u7ABwIlg086734 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 10 Aug 2016 12:58:18 +0100 (BST) (envelope-from matthew@lucid-nonsense.infracaninophile.co.uk) Received: (from matthew@localhost) by lucid-nonsense.infracaninophile.co.uk (8.15.2/8.15.2/Submit) id u7ABwDOJ086733 for freebsd-announce@freebsd.org; Wed, 10 Aug 2016 12:58:13 +0100 (BST) (envelope-from matthew) Date: Wed, 10 Aug 2016 12:58:13 +0100 From: core-secretary@freebsd.org To: freebsd-announce@freebsd.org Message-ID: <20160810115813.GA86720@smtp.infracaninophile.co.uk> Reply-To: core@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline User-Agent: Mutt/1.6.1 (2016-04-27) X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-Mailman-Approved-At: Wed, 10 Aug 2016 12:54:26 +0000 Subject: [FreeBSD-Announce] FreeBSD Core statement on recent freebsd-update and related vulnerabilities X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 11:58:23 -0000 --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Dear FreeBSD Community: The FreeBSD Core team and FreeBSD Security team would like to update the community on the reports of security vulnerabilities in freebsd-update, portsnap, libarchive, and bspatch. We understand the severity of this issue, and are actively working to resolve the issues and improve the security of FreeBSD. A recent post[1] to the freebsd-security@ list raised a number of questions[2] and we would like to address those. 1. Since there are known vulnerabilities in freebsd-update and portsnap, why has there been no notification to the community from secteam@? As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch. We are reviewing this policy for cases where a proof-of-concept or working exploit is already public. 2. Why was there no mention of the fact that running freebsd-update to install the fix for the bspatch advisory [SA-16:25] may actually expose users to the vulnerability? To be exposed, a user would need to be under an active Man-In-The-Middle attack when fetching patches. The Security Advisory did not contain information on the theoretical implications of the vulnerability. A more explicit paragraph in the 'Impact' statement may have been warranted. As always, instructions on how to compile the patched bspatch manually rather than using freebsd-update were provided as part of the advisory. 3. The patch included in SA-16:25 is incomplete, and may still permit heap corruption. The patch included in the document dump is more complete. Why only a partial fix? After discussion with the author of bspatch (Colin Percival, a former FreeBSD Security Officer himself), The FreeBSD Security Team found that the proposed patch added restrictions that may break (legitimate) functionality in bspatch, possibly preventing some valid patch files from being accepted. While a full fix is being developed, the shorter patch which resolves the main vulnerability was immediately released. This resolves the most critical issue in the report. This smaller patch is safe, in that it does not risk breaking bspatch while still resolving the attack vector of the provided exploit code. The larger patch is still under development and will be released once all of the issues have been addressed. Automated fuzz testing is underway to search for any additional memory corruption bugs. Great care must be taken when updating the binary upgrade utility, as it becomes much more difficult to fix after the fact, as the updater is then broken. There are delicate interactions between the components that must be thoroughly tested before the patch is released. As of yet, patches for the libarchive vulnerabilities have not been released upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created patches for some of the libarchive vulnerabilities, the first[3] is being considered for inclusion in FreeBSD, at least until a complete fix is committed upstream, however the second[4] is considered too brute-force and will not be committed as-is. Once the patches are in FreeBSD and updated binaries are available, a Security Advisory will be issued. The Security team is working on redesigning freebsd-update and portsnap to do signature verification on all downloaded files before they are processed by libarchive/tar, bspatch, or any other utilities. However, this change requires modifying the metadata format used in the utilities, and care must be taken to preserve compatibility with the existing clients, so the existing clients can be used to install the future updates. Users will of course have the option to build/apply the patches themselves if they do not feel comfortable using freebsd-update to do so. The security team is working diligently to resolve the issues and provide timely, correct fixes for all known issues. Please subscribe to the freebsd-security-notifications@ mailing-list to receive notifications of any future Security Advisories. [1]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html [2]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009019.html [3]https://github.com/HardenedBSD/hardenedBSD/commit/acc5eaecbe4970cfb96d9549fe7dc8ceb4676557 [4]https://github.com/HardenedBSD/hardenedBSD/commit/6a6ac73ae630927b2dd996df3cd85c8c612c459c --wac7ysb48OaltWcw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJXqxbVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMDdCRjVFMzEwQUU2NEJGNjEyMEIwRjYz NkE3QzA1RkUxRUNGOUJCAAoJEDanwF/h7Pm7TGkP/1U4BoTyKZtz9dykKYkYztYV f5tCz+s6ie77TAeDHtQG2ChWYa22DHh7yNGYt7cMptQwm3lOc1UA0xellmQx8Hl+ vpvLGGfzOdKAaXgBufs7PffW+wxWIAa4gCT9Ot2r6QKCP93hMa1JRMXKsJsn9UxJ cTa2w/W3j/TG+LEVS/2T1iFPFggDyMQO1yjA8C7ISjDyDcGnMTNOPSibwyB4eyao VnBeynD6FNLyNzWkY6g5nSfZzfBDzdtOlk0QNZut0N8OmGQ1TUwrFf1MM+ipMpuR YjDNcoxfKcfzvhElsQsBLePoShf6ioEi068gfOSupAC1TUCCPOU6OoA/tvgVGqy2 FfeZlaLwhpGjKLZ341qUwA6tgwchJGVPpB2yzTacQMZU1mQE8Eo+1qc4D+yEGkIS tfFQvpJQ47jM9UiAlTxLsfZ3ZIPM2hvVyJu1YlVKivpB2DQOutw4nnDXz5PZkidR mIcUPRRdOzQomk9Vo3mpl+Fzxb8YH0iMR6J1WECcPSpMhS9njqsvWyXr9MlHvxmQ hYo1MadG3ZsVF4eNNbxUEcDtCAgkoq/E99gHE18TImPmxoq3mnp9+A/hw1rvTDU9 G0e6G4fzYh8s7FrV5yZSk8oAw/Qgw3bK9hsv001QEEVJyoSDQuKhfLKhdcvNY+ei ApNtFgx61ItjvHXalO8C =FlnN -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--