From owner-freebsd-security@freebsd.org Tue Aug 9 20:10:16 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12248BB45C4; Tue, 9 Aug 2016 20:10:16 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EAB3D1921; Tue, 9 Aug 2016 20:10:15 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 9 Aug 2016 13:07:37 -0700 (PDT) From: Roger Marquis To: Martin Schroeder cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: freebsd-update and portsnap users still at risk of compromise In-Reply-To: <8d52c11892db36d5041f7fa638e46681@vfemail.net> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 20:10:16 -0000 Timely update via Hackernews: Note in particular: "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, and libarchive vulnerabilities." Not sure why the portsec team has not commented or published an advisory (possibly because the freebsd list spam filters are so bad that subscriptions are being blocked) but from where I sit it seems that those exposed should consider: cd /usr/ports svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports make index rm -rf /usr/sbin/portsnap /var/db/portsnap/* I'd also be interested in hearing from hardenedbsd users regarding the pros and cons of cutting over to that distribution. Roger > On 2016-07-29 09:00, Julian Elischer wrote: >> >> not sure if you've been contacted privately, but I believe the answer is >> "we're working on it" > > My concerns are as follows: > > 1. This is already out there, and FreeBSD users haven't been alerted that > they should avoid running freebsd-update/portsnap until the problems are > fixed. > > 2. There was no mention in the bspatch advisory that running > freebsd-update to "fix" bspatch would expose systems to MITM attackers who > are apparently already in operation. > > 3. Strangely, the "fix" in the advisory is incomplete and still permits > heap corruption, even though a more complete fix is available. That's > what prompted my post. If FreeBSD learned of the problem from the same > source document we all did, which seems likely given the coincidental > timing of an advisory for a little-known utility a week or two after that > source document appeared, then surely FreeBSD had the complete fix > available. > From owner-freebsd-security@freebsd.org Tue Aug 9 20:21:24 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0329BB49CF for ; Tue, 9 Aug 2016 20:21:24 +0000 (UTC) (envelope-from kitche@kitchetech.com) Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 96BFD1355 for ; Tue, 9 Aug 2016 20:21:24 +0000 (UTC) (envelope-from kitche@kitchetech.com) Received: by mail-it0-x22d.google.com with SMTP id f6so25327766ith.0 for ; Tue, 09 Aug 2016 13:21:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kitchetech-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xUuryufY1W5Oh8HFFeJhFVsUFV2bQyO++M5ScHz7RZs=; b=V1nqsNH8fHcGvpvFWgfUGTyeJCxZr8HvdBfe6PnZVA4voy29UnfqrMmM9Su/dlHgEU BF/sce3pkGaIazdH/hewVVYm40W2VFkE9r6WMZ0TBM3iT/oaIuSlsjps/wdPdMTKDCff nrF1ECajvBAf+tF4KuR2M1VoXqyWV5cUsdufBjwhszCZyfJniaRsSJLTdTtirpN3nR8h 0JWLTpvsFa9D3FDQ42ceC7K8h/C8AP84iFBPKEJM8C5SyfQ0DSyeNWqapTKZEti6M+3u ckpybEpxefm03Wwmq8yBl4fhsIoKM7bP3QRzkR8RU7CwBcTF1hfE9ol1GgLKbW5Bv2yo X0Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xUuryufY1W5Oh8HFFeJhFVsUFV2bQyO++M5ScHz7RZs=; b=i98HxX9z+TGhKOVB6dx4fyeKG+Xv2QujIeI3/Mui0Fp7yoZ9tjWfOKQxVeJA9l9Vh4 DqniLQQwSBeAusGGTk+mWvMYnAiyYp/aXCkzwCGsz0Oz/BLI7KciD68xVKH6Fa5TreBp yOYuhtoMYCr9ZofP6Iwoc37iNj7jYV6fEAgXPI8vL+j+T0TemCIbO0duCqD6qouQMVEY +Fm6/qJHw68V0CNvfOkr9rvBAu0rWEAy8LZj9t055xJ6Qhs2GfvfRHQ/lypNbHWTgsSN wcu2PogNb/gNEtyxy1Eq6IYJnrgMHLb8fSeDHz6A0EgbWcckmxn8SdKdMz51ohGwvPTk XEjA== X-Gm-Message-State: AEkooutBKpOewWPu/NO9DelWpBV02/mg1LVLYZlpv29ZkoxTAvok26ZB8Ra5VPeRIRNuJmDyDQ2lpkkEpTWtPQ== X-Received: by 10.36.133.213 with SMTP id r204mr1164451itd.50.1470774084020; Tue, 09 Aug 2016 13:21:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.19.13 with HTTP; Tue, 9 Aug 2016 13:21:23 -0700 (PDT) Received: by 10.107.19.13 with HTTP; Tue, 9 Aug 2016 13:21:23 -0700 (PDT) In-Reply-To: <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> From: Matthew Donovan Date: Tue, 9 Aug 2016 15:21:23 -0500 Message-ID: Subject: Re: freebsd-update and portsnap users still at risk of compromise To: Roger Marquis Cc: freebsd-ports , freebsd-security , Martin Schroeder X-Mailman-Approved-At: Tue, 09 Aug 2016 20:49:38 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 20:21:24 -0000 You mean operating system as distribution is a Linux term. There's not much different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes vulnerabilities and has a an excellent ASLR system compared to the proposed one for FreeBSD. On Aug 9, 2016 3:10 PM, "Roger Marquis" wrote: > Timely update via Hackernews: > > y-update-libarchive> > > Note in particular: > > "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, > and libarchive vulnerabilities." > > Not sure why the portsec team has not commented or published an advisory > (possibly because the freebsd list spam filters are so bad that > subscriptions are being blocked) but from where I sit it seems that > those exposed should consider: > > cd /usr/ports > svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports > make index > rm -rf /usr/sbin/portsnap /var/db/portsnap/* > > I'd also be interested in hearing from hardenedbsd users regarding the > pros and cons of cutting over to that distribution. > > Roger > > > > On 2016-07-29 09:00, Julian Elischer wrote: >> >>> >>> not sure if you've been contacted privately, but I believe the answer is >>> "we're working on it" >>> >> >> My concerns are as follows: >> >> 1. This is already out there, and FreeBSD users haven't been alerted that >> they should avoid running freebsd-update/portsnap until the problems are >> fixed. >> >> 2. There was no mention in the bspatch advisory that running >> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >> are apparently already in operation. >> >> 3. Strangely, the "fix" in the advisory is incomplete and still permits >> heap corruption, even though a more complete fix is available. That's >> what prompted my post. If FreeBSD learned of the problem from the same >> source document we all did, which seems likely given the coincidental >> timing of an advisory for a little-known utility a week or two after that >> source document appeared, then surely FreeBSD had the complete fix >> available. >> >> _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Wed Aug 10 04:28:20 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D6A3BB09E1 for ; Wed, 10 Aug 2016 04:28:20 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 041A419AC for ; Wed, 10 Aug 2016 04:28:19 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u7A4SEF0081103 for ; Wed, 10 Aug 2016 14:28:14 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 10 Aug 2016 14:28:14 +1000 (EST) From: Ian Smith To: freebsd-security@freebsd.org Subject: Census: How the Government says the website meltdown unfolded Message-ID: <20160810142453.O79687@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 04:28:20 -0000 Perhaps of interest to some: http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964 cheers, Ian From owner-freebsd-security@freebsd.org Wed Aug 10 08:50:40 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1338BB01B2; Wed, 10 Aug 2016 08:50:40 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 97FDF1431; Wed, 10 Aug 2016 08:50:40 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qk0-x22f.google.com with SMTP id x185so36951936qkc.2; Wed, 10 Aug 2016 01:50:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=j8uNsspcPaCCV+nHSUHhc1Uxn+6s4/f5jDgOIwWtQLc=; b=zJbMTU7XV4Kz0LgRUJp1OMGtVlRmn8Cy+Wi+gM6DoBo7tSS/ySgKmEh3dWraD71wKz OXcXV8vaXIrNgcvmoZb8mV1E319qvEsl65uQvGzEPLVjj2ijsvRS4NVAQxP/GE4X6E6w B5wb40/0of7LBAKnhxA3PCPRo9pry0wigg07ppDmQMRtZCBDeku1ezgU1RvBWwZnUfaG ETyR8q5KDAu6xIuzf2yE9U8uCISFpgHhSWajMnxlLN8wZUTjsDrjkkeiWg5P00NO6E60 Hoe3U0PPbE3qabrCYXtK68FEE62xMRRjD6oEdWIS+NMH0UKbSvM7u2gkbxFG2tsBUP6z 0y/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=j8uNsspcPaCCV+nHSUHhc1Uxn+6s4/f5jDgOIwWtQLc=; b=UcoXixRcDb1J2A1G0LAMZWQpcS6SDNRBztlEpH1sP+tmyLtgDNG/GBotIn2SAD0+ie FraO9mitDFkOwbmOn5ilXWnH/UszYV2sXF/vFw1cNN1Qc0y1ThpudIHUs+2JCz7TqLwr eetnkPRFUH2rTuLw7OfvO8vKNMsR9FcGHmWbwI4s0lETOO7f7TFlDEuL5bBZFL/mAVo3 0uyzOJyzYSysOHIaRWKHFbYUsTv3D5tnAWAaDLwfGlxrucocET5k1ruh1+8adNSi6t8h khjilMSgWyqqrhA6kid9E2VmNUsjPiINvGR2DWnAgLDgmypR0PCcsbptEVa13b5B1CKd MWug== X-Gm-Message-State: AEkoousCxSdS5aaAT1TICQN47q5eU9Lp1bMldsr0kx2t8RngIpexpU8drL35wjwdIMKQI3b5kyl6gyeumZdHgg== X-Received: by 10.55.79.139 with SMTP id d133mr2756837qkb.99.1470819038340; Wed, 10 Aug 2016 01:50:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.49.71 with HTTP; Wed, 10 Aug 2016 01:50:37 -0700 (PDT) In-Reply-To: References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> From: Big Lebowski Date: Wed, 10 Aug 2016 09:50:37 +0100 Message-ID: Subject: Re: freebsd-update and portsnap users still at risk of compromise To: Matthew Donovan Cc: Roger Marquis , freebsd-security , freebsd-ports , Martin Schroeder Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 08:50:41 -0000 On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan wrote: > You mean operating system as distribution is a Linux term. There's not much > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes > vulnerabilities and has a an excellent ASLR system compared to the proposed > one for FreeBSD. > And what are your sources on which you're formulating this statement? What is the HBSD authors security, or even general coding, track record? How well are they known for their code, whitepapers, implementations? I'd say, not at all. You can have the example of their 'ASLR' code quality in the FreeBSD reviews system, where known and respected coders point out very basic and critical code mistakes, where well known and respected system designers point out flaws in their lack of design, so on and so forth. The only thing that's excellent about them is how they spread this opinion about their code to other people, including you ;) I'd much rather take my bet with kib's implementation knowing who he is and how long and how well he does what he does (that is, quality code for FreeBSD) than untested, un-designed, self-procclaimed code from relatively young, inexperienced and unknown person, that's not willing to take advices on fixing their code, when given so. With all due respect :) > > On Aug 9, 2016 3:10 PM, "Roger Marquis" wrote: > > > Timely update via Hackernews: > > > > > y-update-libarchive> > > > > Note in particular: > > > > "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, > > and libarchive vulnerabilities." > > > > Not sure why the portsec team has not commented or published an advisory > > (possibly because the freebsd list spam filters are so bad that > > subscriptions are being blocked) but from where I sit it seems that > > those exposed should consider: > > > > cd /usr/ports > > svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports > > make index > > rm -rf /usr/sbin/portsnap /var/db/portsnap/* > > > > I'd also be interested in hearing from hardenedbsd users regarding the > > pros and cons of cutting over to that distribution. > > > > Roger > > > > > > > > On 2016-07-29 09:00, Julian Elischer wrote: > >> > >>> > >>> not sure if you've been contacted privately, but I believe the answer > is > >>> "we're working on it" > >>> > >> > >> My concerns are as follows: > >> > >> 1. This is already out there, and FreeBSD users haven't been alerted > that > >> they should avoid running freebsd-update/portsnap until the problems are > >> fixed. > >> > >> 2. There was no mention in the bspatch advisory that running > >> freebsd-update to "fix" bspatch would expose systems to MITM attackers > who > >> are apparently already in operation. > >> > >> 3. Strangely, the "fix" in the advisory is incomplete and still permits > >> heap corruption, even though a more complete fix is available. That's > >> what prompted my post. If FreeBSD learned of the problem from the same > >> source document we all did, which seems likely given the coincidental > >> timing of an advisory for a little-known utility a week or two after > that > >> source document appeared, then surely FreeBSD had the complete fix > >> available. > >> > >> _______________________________________________ > > freebsd-ports@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Wed Aug 10 09:20:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4AD5ABB2284; Wed, 10 Aug 2016 09:20:46 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.kissl.de (host64.kissl.de [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "*.shmhost.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 129821C4F; Wed, 10 Aug 2016 09:20:45 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (ipservice-092-208-160-166.092.208.pools.vodafone-ip.de [92.208.160.166]) (Authenticated sender: web104p1) by host64.kissl.de (Postfix) with ESMTPSA id BA72C6B6B4; Wed, 10 Aug 2016 10:55:42 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: freebsd-update and portsnap users still at risk of compromise From: Franco Fichtner In-Reply-To: Date: Wed, 10 Aug 2016 10:55:42 +0200 Cc: Matthew Donovan , freebsd-security , Roger Marquis , freebsd-ports , Martin Schroeder Content-Transfer-Encoding: 7bit Message-Id: <1B4ABEA7-A527-4D24-9DB3-9758301F68C8@lastsummer.de> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> To: Big Lebowski X-Mailer: Apple Mail (2.3124) X-Virus-Scanned: clamav-milter 0.99.2 at host64.kissl.de X-Virus-Status: Clean X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 09:20:46 -0000 > On 10 Aug 2016, at 10:50 AM, Big Lebowski wrote: > > With all due respect :) Not really. Feel free to try again. From owner-freebsd-security@freebsd.org Wed Aug 10 11:41:18 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6C0FBB4E36 for ; Wed, 10 Aug 2016 11:41:18 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7918B1968 for ; Wed, 10 Aug 2016 11:41:18 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt0-x22f.google.com with SMTP id x25so19216907qtx.2 for ; Wed, 10 Aug 2016 04:41:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=MmLOkCO/bGM5kxsSevO9a5qUEK1duUiinmARra2Gh0I=; b=zXAoJS7TLKv1DDfCsjl+PJ3WopvR8qxcY78N1K4rEm6VhyI+CvzSwflt6/A/K77UA0 9rZUSchCuRaM1fm4lTq4mjvaJsMu7WNkvpIitvnlZdNZVIMWhT8LRvZHYdBMxS92OgwZ FDQsA8OLv2R/O4Ae2gK9bUcC3eUqC6gV2sN8muwa6sTj07jArhlHo3Z79Jaedr40/sJ1 nZYtuQ6CDvU4hcSE+uA/JvxWje5DXznpSxZtSXGJc4JTJr34JJ8MD2T7j5Kfs0T6bYDX yTorxgUce3RDqKk6+HtqKdOSWAFz1FRARIAAwrS62Z7ljf/rgpXIIb6apR4o0kYuSAR+ lYjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=MmLOkCO/bGM5kxsSevO9a5qUEK1duUiinmARra2Gh0I=; b=CdL7LC6SXUPgqo1G0hHCabwyLOtsBd0sV9P3KGgRzM3Dv1NbjnG4OmY04J3JWqDyYY gMJK4XnfgQFlq1NttmW3tGjbTABl9SMGfur/FaiPMhVyJNZFBF0VsLpaKA+yLvas0b08 2RvebN2sBSBr47QAOf/J4RQOhppOulAXIpHHzbk3DBop2eep9mBgMSG3n3TBIM1tTwxx I2rWlAnGFMku+NX8GqlCtXM72re4cvT41aZxpTmRN5prPl6/SgzV1SixE/h9WVFaqw6t 6EfPU/F7OC9+XWynAE0nNyOrPqsWsDjaQnCIcuQwCKCn96ltkP6UOwUpWNb5TwjqmL+M 1Oew== X-Gm-Message-State: AEkooutmIVgNCYxxZbEatlXCbZi2rA0pzZRs+nZJs54P7OE83R/KbmIUYtPX/JboNYhsTqW6 X-Received: by 10.200.33.183 with SMTP id 52mr3753685qty.128.1470829277520; Wed, 10 Aug 2016 04:41:17 -0700 (PDT) Received: from mutt-hardenedbsd (pool-100-16-219-226.bltmmd.fios.verizon.net. [100.16.219.226]) by smtp.gmail.com with ESMTPSA id v24sm12304313qkv.3.2016.08.10.04.41.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Aug 2016 04:41:15 -0700 (PDT) Date: Wed, 10 Aug 2016 07:41:13 -0400 From: Shawn Webb To: Big Lebowski Cc: Matthew Donovan , freebsd-security , Roger Marquis , freebsd-ports , Martin Schroeder Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <20160810114113.GG81651@mutt-hardenedbsd> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="kadn00tgSopKmJ1H" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hardenedbsd 12.0-CURRENT-HBSD FreeBSD 12.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 11:41:18 -0000 --kadn00tgSopKmJ1H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 10, 2016 at 09:50:37AM +0100, Big Lebowski wrote: > On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan > wrote: >=20 > > You mean operating system as distribution is a Linux term. There's not = much > > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes > > vulnerabilities and has a an excellent ASLR system compared to the prop= osed > > one for FreeBSD. > > >=20 > And what are your sources on which you're formulating this statement? What > is the HBSD authors security, or even general coding, track record? How > well are they known for their code, whitepapers, implementations? I'd say, > not at all. You can have the example of their 'ASLR' code quality in the > FreeBSD reviews system, where known and respected coders point out very > basic and critical code mistakes, where well known and respected system > designers point out flaws in their lack of design, so on and so forth. The > only thing that's excellent about them is how they spread this opinion > about their code to other people, including you ;) >=20 > I'd much rather take my bet with kib's implementation knowing who he is a= nd > how long and how well he does what he does (that is, quality code for > FreeBSD) than untested, un-designed, self-procclaimed code from relatively > young, inexperienced and unknown person, that's not willing to take advic= es > on fixing their code, when given so. >=20 > With all due respect :) Hey there, ASLR shouldn't be part of the discussion revolving the freebsd-update, portsnap, libarchive, and bspatch vulnerabilities. ASLR won't even help with these vulnerabilities in particular as they are logic vulnerabilities. ASLR helps make more difficult the successful exploitation of buffer overflows, format string vulnerabilities, etc. In HardenedBSD, we've fixed the two libarchive vulnerabilities that FreeBSD is vulnerable to. But the fixes are only band-aids until FreeBSD publishes their fixes, which they are planning on to do before 11.0-RELEASE goes out the door. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --kadn00tgSopKmJ1H Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXqxLXAAoJEGqEZY9SRW7uM14P/jYceCgnCYrSfFaGIhpzT7S8 Aopx5VvnpZlMCIHz+SvoPqsZAIzDhEm4Ia/q1Q0fGZcHHYo6dqArDFF34wLE2KBG 0NK1pvrv0P6RGrPlTACTDYHAdlBbQ1aLJfTQgbplnw6MT0JIU3ev/vVRFdutEmOW eX8G5O06KCZg1plR6JWMTOgMQCFhM/OxRVS3IPwcbvFACG/GVb6z8DbGsMWQANFC ykV5jBjRo8YmWY5Fz/AWJlHV1++H/ZNY+I9n8tae8ik+kDeQxND7Yv7s1hXsKtKx HfOoCNCI9LsBu8zl6QMXsRWsNyIXOmQFbPTxr2sBN0sCynTNXk5G+DZneoAUeLpw I3jvQ7mORe7y8husMw4h+E0aXcXeo/qFbVu6Y/Qh3HKy6My2IRXj0YzxzKbPgKH7 l8+tDBGx+FAj37lTgkjryHGiTEA0yRDVL7GdDCI67v4aV/OtevLbEuTsNvBEZrq+ 0c07OM4Qhh1qp+f3OB0AP4ELcGrb2swWZTCfpYQkJaHiitJqLCqjeluOgi9BGNmt vWoktIO2Ik5TYgkYDZ5fqed89XBWr5tPBxtvG0Lhz/L5sCAtQbvcLqnVvLLuI3zr nHxxVtJYjDxQIBCZBd9pu3FivyHD46eUoq+IjjIQzkkEI27RBj6XBUApCHW6CksJ +2ysFfP9OK0wn3GPuJ4X =pI8f -----END PGP SIGNATURE----- --kadn00tgSopKmJ1H-- From owner-freebsd-security@freebsd.org Wed Aug 10 13:34:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3ECABB4165 for ; Wed, 10 Aug 2016 13:34:10 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 79E001D6D for ; Wed, 10 Aug 2016 13:34:10 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x22c.google.com with SMTP id f65so91256497wmi.0 for ; Wed, 10 Aug 2016 06:34:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=zVdyCG25xvCVf+R2W20Edt48DDg9CRhayfvr+q5xDJg=; b=qDQuRbEWBVBYqV9q7ET7ZLO8Jp7DqXzDESI5rdDJk3G4LLvsZhOx1wjTWNyA2D5I8l ubQDimM0bOrlwZ06zQf7diJvyWa0UdiQJr2fvXxOeUNwH3a6bkwmABAoDinhthDujKOA bT3WR2NFIe3S3BEdHoC3ApWfdNGs3/KlDNKvHcaHUMuqy1pKTN82R1jGhvWOKqeb08Rr nVFcQGK7fKtI5/K4GqBL7CtZLQOzE8hYX7BqpdkwwjZJAsf7hwD+G+RpMsUpny1+/qKh GuY9RBB5Xu+CjrUDTDWN7ccsxx28kPph5wXwVPX4zmhaq66oou+s4EQ5Psnw1DDKfF/Q h5/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zVdyCG25xvCVf+R2W20Edt48DDg9CRhayfvr+q5xDJg=; b=hjOh+CVKV7W+qekAq4TxbesYvxuk4OlNySi5UHeQQDGK2zGMUZ8O/WNnLwjATOe0my S7F1jsL8d9yDqZVXoS5ymhLq4dI7fIKnH6/KkYSP5Q1uM87qgDYfKHvAkwtB9HHTm874 7WtXyZkmmbR+HlITpVJcItMdmytSFXw8vmALJPejqFTSD5PKgFzn4dWDvz30HudZPAuv 8AkeYdrQi/pep4zHgEw2r+PRorvXZf+ASywnQjO7/7F1GCTwVMtS4Ju38Ave7SZyKwXx 7nG3aKIrjaX/9iBHaG++wWZ1BlGrMcyK55fbMberBI+5ajMenrIh8IJ0mqHv4GulQIvT aBNA== X-Gm-Message-State: AEkoouvvxGK7gneWkfOu5XoksTqJXmtotiFWHavDlkJaoOB1Gr07y6OvYSqKZXqFbovjqw== X-Received: by 10.28.24.5 with SMTP id 5mr3468258wmy.6.1470836048093; Wed, 10 Aug 2016 06:34:08 -0700 (PDT) Received: from gumby.homeunix.com ([81.171.97.84]) by smtp.gmail.com with ESMTPSA id a184sm4961273wmh.1.2016.08.10.06.34.05 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Aug 2016 06:34:07 -0700 (PDT) Date: Wed, 10 Aug 2016 14:34:03 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <20160810143403.5c3d8875@gumby.homeunix.com> In-Reply-To: <6bd80e384e443e5de73fb951e973b221@vfemail.net> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.2) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 13:34:10 -0000 On Fri, 29 Jul 2016 03:49:39 +0000 Martin Schroeder wrote: > I've been analyzing the document extensively since then. The targets > are as follows: > > [1] portsnap via portsnap vulnerabilities > [2] portsnap via libarchive & tar anti-sandboxing vulnerabilities > [3] portsnap via bspatch vulnerabilities I only had a quick look so I might have missed something - am I right in thinking that all the portsnap attacks rely on an attacker substituting the initial tarball? If so then then fixing this doesn't really effect existing users in the short term. Either you're already compromised, or your snapshot will remain secure until you manually delete it. From owner-freebsd-security@freebsd.org Wed Aug 10 17:43:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 569BDBB5267; Wed, 10 Aug 2016 17:43:22 +0000 (UTC) (envelope-from mlists@mail.ru) Received: from fallback6.mail.ru (fallback6.mail.ru [94.100.181.147]) by mx1.freebsd.org (Postfix) with ESMTP id A3B6719D4; Wed, 10 Aug 2016 17:43:20 +0000 (UTC) (envelope-from mlists@mail.ru) Received: from f370.i.mail.ru (f370.i.mail.ru [217.69.141.12]) by fallback6.mail.ru (mPOP.Fallback_MX) with ESMTP id 4BFDB32709A6; Wed, 10 Aug 2016 20:16:46 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:Cc:To:From; bh=BUhagqM2MGNKN/vp0fGKX3AweyrXaZFnr1A98gor0GU=; b=UGD2w0K2wi9wP1PbndvUeyIx/6ipxiRqY2YOjBjraEGuXxM/0ckMObZUHCXBAFgsOjEpmlFrnW3uJ3nKIceKhQgiOCGJ7SIap3kc2YyIf4U5iPpZt2zmrHCSXAwwFAgh3n4ufd4jdhtUIH1ZY3oFcHRA4NWgJYwqosxLbvXMQLg=; Received: from [95.211.187.223] (ident=mail) by f370.i.mail.ru with local (envelope-from ) id 1bXX2e-0005ee-Ll; Wed, 10 Aug 2016 20:11:45 +0300 Received: from [95.211.187.223] by e.mail.ru with HTTP; Wed, 10 Aug 2016 20:11:44 +0300 From: =?UTF-8?B?TWFpbCBMaXN0cw==?= To: =?UTF-8?B?TWF0dGhldyBEb25vdmFu?= Cc: =?UTF-8?B?ZnJlZWJzZC1zZWN1cml0eQ==?= , =?UTF-8?B?ZnJlZWJzZC1wb3J0cw==?= , =?UTF-8?B?TWFydGluIFNjaHJvZWRlcg==?= , =?UTF-8?B?Um9nZXIgTWFycXVpcw==?= Subject: =?UTF-8?B?UmVbMl06IGZyZWVic2QtdXBkYXRlIGFuZCBwb3J0c25hcCB1c2VycyBzdGls?= =?UTF-8?B?bCBhdCByaXNrIG9mIGNvbXByb21pc2U=?= MIME-Version: 1.0 X-Mailer: Mail.Ru Mailer 1.0 X-Originating-IP: [95.211.187.223] Date: Wed, 10 Aug 2016 20:11:44 +0300 Reply-To: =?UTF-8?B?TWFpbCBMaXN0cw==?= X-Priority: 3 (Normal) Message-ID: <1470849104.192073030@f370.i.mail.ru> X-Mailru-Sender: 3FB1AED2AC05ACBA0275C04C13CD6A90D098DDE114AF31F6F481BD12C33428E599E87DAB0F108621A2BA58D3D091CA1F X-Mras: OK X-Spam: undefined In-Reply-To: References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 17:43:22 -0000 CgoKc29ycnkgYnV0IHRoaXMgaXMgYmxhYmxhIGFuZCBkb2VzIG5vdCBjb21lIGV2ZW4gbmVhciB0 byBhbnN3ZXJpbmcgdGhlIHJlYWwgcHJvYmxlbToKCkl0IGFwcGVhcnMgdGhhdCBmcmVlYnNkIGFu ZCB0aGUgVVMtZ292ZXJubWVudCBpcyBtb3JlIGNvbm5lY3RlZCB0aGF0IHNvbWUgb2YgdXMgbWln aHQgbGlrZToKCk5vdCBwdWJsaXNoaW5nIHNlY3VyaXR5IGlzc3VlcyBjb25jZXJuaW5nIHVwZGF0 ZSBtZWNoYW5pc21zIC0gd2UgYWxsIGNhbiB0aGluayBXSFkgZnJlZWJzZCBpcyBub3QgZWFnZXIg b24gdGhpcyBvbmUuCgpKdXN0IG15IHRob3VnaHRzLi4uCgoKCj5UdWVzZGF5LCBBdWd1c3QgIDks IDIwMTYgODoyMSBQTSBVVEMgZnJvbSBNYXR0aGV3IERvbm92YW4gPGtpdGNoZUBraXRjaGV0ZWNo LmNvbT46Cj4KPllvdSBtZWFuIG9wZXJhdGluZyBzeXN0ZW0gYXMgZGlzdHJpYnV0aW9uIGlzIGEg TGludXggdGVybS4gVGhlcmUncyBub3QgbXVjaAo+ZGlmZmVyZW50IGJldHdlZW4gSEFSREVORURC U0QgYW5kIEZyZWVCU0QgYmVzaWRlcyB0aGF0IEhhcmRlbmVkQlNEIGZpeGVzCj52dWxuZXJhYmls aXRpZXMgYW5kIGhhcyBhIGFuIGV4Y2VsbGVudCBBU0xSIHN5c3RlbSBjb21wYXJlZCB0byB0aGUg cHJvcG9zZWQKPm9uZSBmb3IgRnJlZUJTRC4KPgo+T24gQXVnIDksIDIwMTYgMzoxMCBQTSwgIlJv Z2VyIE1hcnF1aXMiIDwgbWFycXVpc0Byb2JsZS5jb20gPiB3cm90ZToKPgo+PiBUaW1lbHkgdXBk YXRlIHZpYSBIYWNrZXJuZXdzOgo+Pgo+PiAgPGhhcmRlbmVkYnNkLm9yZy9hcnRpY2xlL3NoYXdu LXdlYmIvMjAxNi0wOC0wNy92dWxuZXJhYmlsaXQKPj4geS11cGRhdGUtbGliYXJjaGl2ZT4KPj4K Pj4gTm90ZSBpbiBwYXJ0aWN1bGFyOgo+Pgo+PiAgIkZyZWVCU0QgaXMgc3RpbGwgdnVsbmVyYWJs ZSB0byB0aGUgcG9ydHNuYXAsIGZyZWVic2QtdXBkYXRlLCBic3BhdGNoLAo+PiAgYW5kIGxpYmFy Y2hpdmUgdnVsbmVyYWJpbGl0aWVzLiIKPj4KPj4gTm90IHN1cmUgd2h5IHRoZSBwb3J0c2VjIHRl YW0gaGFzIG5vdCBjb21tZW50ZWQgb3IgcHVibGlzaGVkIGFuIGFkdmlzb3J5Cj4+IChwb3NzaWJs eSBiZWNhdXNlIHRoZSBmcmVlYnNkIGxpc3Qgc3BhbSBmaWx0ZXJzIGFyZSBzbyBiYWQgdGhhdAo+ PiBzdWJzY3JpcHRpb25zIGFyZSBiZWluZyBibG9ja2VkKSBidXQgZnJvbSB3aGVyZSBJIHNpdCBp dCBzZWVtcyB0aGF0Cj4+IHRob3NlIGV4cG9zZWQgc2hvdWxkIGNvbnNpZGVyOgo+Pgo+PiAgY2Qg L3Vzci9wb3J0cwo+PiAgc3Zue2xpdGV9IGNvICBodHRwczovL3N2bi5GcmVlQlNELm9yZy9wb3J0 cy9oZWFkIC91c3IvcG9ydHMKPj4gIG1ha2UgaW5kZXgKPj4gIHJtIC1yZiAvdXNyL3NiaW4vcG9y dHNuYXAgL3Zhci9kYi9wb3J0c25hcC8qCj4+Cj4+IEknZCBhbHNvIGJlIGludGVyZXN0ZWQgaW4g aGVhcmluZyBmcm9tIGhhcmRlbmVkYnNkIHVzZXJzIHJlZ2FyZGluZyB0aGUKPj4gcHJvcyBhbmQg Y29ucyBvZiBjdXR0aW5nIG92ZXIgdG8gdGhhdCBkaXN0cmlidXRpb24uCj4+Cj4+IFJvZ2VyCj4+ Cj4+Cj4+Cj4+IE9uIDIwMTYtMDctMjkgMDk6MDAsIEp1bGlhbiBFbGlzY2hlciB3cm90ZToKPj4+ Cj4+Pj4KPj4+PiBub3Qgc3VyZSBpZiB5b3UndmUgYmVlbiBjb250YWN0ZWQgcHJpdmF0ZWx5LCBi dXQgIEkgYmVsaWV2ZSB0aGUgYW5zd2VyIGlzCj4+Pj4gIndlJ3JlIHdvcmtpbmcgb24gaXQiCj4+ Pj4KPj4+Cj4+PiBNeSBjb25jZXJucyBhcmUgYXMgZm9sbG93czoKPj4+Cj4+PiAxLiBUaGlzIGlz IGFscmVhZHkgb3V0IHRoZXJlLCBhbmQgRnJlZUJTRCB1c2VycyBoYXZlbid0IGJlZW4gYWxlcnRl ZCB0aGF0Cj4+PiB0aGV5IHNob3VsZCBhdm9pZCBydW5uaW5nIGZyZWVic2QtdXBkYXRlL3BvcnRz bmFwIHVudGlsIHRoZSBwcm9ibGVtcyBhcmUKPj4+IGZpeGVkLgo+Pj4KPj4+IDIuIFRoZXJlIHdh cyBubyBtZW50aW9uIGluIHRoZSBic3BhdGNoIGFkdmlzb3J5IHRoYXQgcnVubmluZwo+Pj4gZnJl ZWJzZC11cGRhdGUgdG8gImZpeCIgYnNwYXRjaCB3b3VsZCBleHBvc2Ugc3lzdGVtcyB0byBNSVRN IGF0dGFja2VycyB3aG8KPj4+IGFyZSBhcHBhcmVudGx5IGFscmVhZHkgaW4gb3BlcmF0aW9uLgo+ Pj4KPj4+IDMuIFN0cmFuZ2VseSwgdGhlICJmaXgiIGluIHRoZSBhZHZpc29yeSBpcyBpbmNvbXBs ZXRlIGFuZCBzdGlsbCBwZXJtaXRzCj4+PiBoZWFwIGNvcnJ1cHRpb24sIGV2ZW4gdGhvdWdoIGEg bW9yZSBjb21wbGV0ZSBmaXggaXMgYXZhaWxhYmxlLiBUaGF0J3MKPj4+IHdoYXQgcHJvbXB0ZWQg bXkgcG9zdC4gSWYgRnJlZUJTRCBsZWFybmVkIG9mIHRoZSBwcm9ibGVtIGZyb20gdGhlIHNhbWUK Pj4+IHNvdXJjZSBkb2N1bWVudCB3ZSBhbGwgZGlkLCB3aGljaCBzZWVtcyBsaWtlbHkgZ2l2ZW4g dGhlIGNvaW5jaWRlbnRhbAo+Pj4gdGltaW5nIG9mIGFuIGFkdmlzb3J5IGZvciBhIGxpdHRsZS1r bm93biB1dGlsaXR5IGEgd2VlayBvciB0d28gYWZ0ZXIgdGhhdAo+Pj4gc291cmNlIGRvY3VtZW50 IGFwcGVhcmVkLCB0aGVuIHN1cmVseSBGcmVlQlNEIGhhZCB0aGUgY29tcGxldGUgZml4Cj4+PiBh dmFpbGFibGUuCj4+Pgo+Pj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18KPj4gIGZyZWVic2QtcG9ydHNAZnJlZWJzZC5vcmcgbWFpbGluZyBsaXN0Cj4+ICBo dHRwczovL2xpc3RzLmZyZWVic2Qub3JnL21haWxtYW4vbGlzdGluZm8vZnJlZWJzZC1wb3J0cwo+ PiBUbyB1bnN1YnNjcmliZSwgc2VuZCBhbnkgbWFpbCB0byAiIGZyZWVic2QtcG9ydHMtdW5zdWJz Y3JpYmVAZnJlZWJzZC5vcmcgIgo+Pgo+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18KPmZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmcgbWFpbGluZyBsaXN0 Cj5odHRwczovL2xpc3RzLmZyZWVic2Qub3JnL21haWxtYW4vbGlzdGluZm8vZnJlZWJzZC1zZWN1 cml0eQo+VG8gdW5zdWJzY3JpYmUsIHNlbmQgYW55IG1haWwgdG8gIiBmcmVlYnNkLXNlY3VyaXR5 LXVuc3Vic2NyaWJlQGZyZWVic2Qub3JnICIKCgpCZXN0IHJlZ2FyZHMsCk1haWwgTGlzdHMKbWxp c3RzQG1haWwucnUK From owner-freebsd-security@freebsd.org Wed Aug 10 17:45:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27592BB53BD; Wed, 10 Aug 2016 17:45:10 +0000 (UTC) (envelope-from mlists@mail.ru) Received: from fallback6.mail.ru (fallback6.mail.ru [94.100.181.147]) by mx1.freebsd.org (Postfix) with ESMTP id 67F391C12; Wed, 10 Aug 2016 17:45:08 +0000 (UTC) (envelope-from mlists@mail.ru) Received: from f224.i.mail.ru (f224.i.mail.ru [94.100.178.211]) by fallback6.mail.ru (mPOP.Fallback_MX) with ESMTP id 12A32326F145; Wed, 10 Aug 2016 20:18:13 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:Cc:To:From; bh=GoQImqW9ZRYeKSNStevcy9Iuhph6kL79XT8KMfjqdVg=; b=MIrO+9kSkpKphfog8fj0AZwYP7ZHFKEivhiEw8QUyENn9IEWKNmGPgBhLrYLGrUwDtPcmD+hEkKTY2HbfC3ItOjFkiBZtqJ/xaLSCajE8uOuzSGzdWpmY9Jg/O0n+lDb8H83reo04FEJWp+jMNwO67EmxbUTDeTgP12oNSx21jE=; Received: from [95.211.187.223] (ident=mail) by f224.i.mail.ru with local (envelope-from ) id 1bXX40-0006WX-DK; Wed, 10 Aug 2016 20:13:08 +0300 Received: from [95.211.187.223] by e.mail.ru with HTTP; Wed, 10 Aug 2016 20:13:08 +0300 From: =?UTF-8?B?TWFpbCBMaXN0cw==?= To: =?UTF-8?B?TWF0dGhldyBEb25vdmFu?= Cc: =?UTF-8?B?ZnJlZWJzZC1zZWN1cml0eQ==?= , =?UTF-8?B?ZnJlZWJzZC1wb3J0cw==?= , =?UTF-8?B?TWFydGluIFNjaHJvZWRlcg==?= , =?UTF-8?B?Um9nZXIgTWFycXVpcw==?= Subject: =?UTF-8?B?UmVbMl06IGZyZWVic2QtdXBkYXRlIGFuZCBwb3J0c25hcCB1c2VycyBzdGls?= =?UTF-8?B?bCBhdCByaXNrIG9mIGNvbXByb21pc2U=?= MIME-Version: 1.0 X-Mailer: Mail.Ru Mailer 1.0 X-Originating-IP: [95.211.187.223] Date: Wed, 10 Aug 2016 20:13:08 +0300 Reply-To: =?UTF-8?B?TWFpbCBMaXN0cw==?= X-Priority: 3 (Normal) Message-ID: <1470849188.118255416@f224.i.mail.ru> X-Mailru-Sender: 3FB1AED2AC05ACBA0275C04C13CD6A90EAD002F773A62F64850760CFDB48601599E87DAB0F1086214C6784DEA8096F07 X-Mras: OK X-Spam: undefined In-Reply-To: References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 17:45:10 -0000 CgoKc29ycnkgYnV0IHRoaXMgaXMgYnVsbHNoaXQgYW5kIGRvZXMgbm90IGNvbWUgZXZlbiBuZWFy IHRvIGFuc3dlcmluZyB0aGUgcmVhbCBwcm9ibGVtOgoKSXQgYXBwZWFycyB0aGF0IGZyZWVic2Qg YW5kIHRoZSBVUy1nb3Zlcm5tZW50IGlzIG1vcmUgY29ubmVjdGVkIHRoYXQgc29tZSBvZiB1cyBt aWdodCBsaWtlOgoKTm90IHB1Ymxpc2hpbmcgc2VjdXJpdHkgaXNzdWVzIGNvbmNlcm5pbmcgdXBk YXRlIG1lY2hhbmlzbXMgLSB3ZSBhbGwgY2FuIHRoaW5rIFdIWSBmcmVlYnNkIGlzIG5vdCBlYWdl ciBvbiB0aGlzIG9uZS4uLi4uLi4uCgpkb24ndCB0cnVzdCBhbnlvbmUuLgoKSnVzdCBteSB0aG91 Z2h0cy4uLgoKCgo+VHVlc2RheSwgQXVndXN0ICA5LCAyMDE2IDg6MjEgUE0gVVRDIGZyb20gTWF0 dGhldyBEb25vdmFuIDxraXRjaGVAa2l0Y2hldGVjaC5jb20+Ogo+Cj5Zb3UgbWVhbiBvcGVyYXRp bmcgc3lzdGVtIGFzIGRpc3RyaWJ1dGlvbiBpcyBhIExpbnV4IHRlcm0uIFRoZXJlJ3Mgbm90IG11 Y2gKPmRpZmZlcmVudCBiZXR3ZWVuIEhBUkRFTkVEQlNEIGFuZCBGcmVlQlNEIGJlc2lkZXMgdGhh dCBIYXJkZW5lZEJTRCBmaXhlcwo+dnVsbmVyYWJpbGl0aWVzIGFuZCBoYXMgYSBhbiBleGNlbGxl bnQgQVNMUiBzeXN0ZW0gY29tcGFyZWQgdG8gdGhlIHByb3Bvc2VkCj5vbmUgZm9yIEZyZWVCU0Qu Cj4KPk9uIEF1ZyA5LCAyMDE2IDM6MTAgUE0sICJSb2dlciBNYXJxdWlzIiA8IG1hcnF1aXNAcm9i bGUuY29tID4gd3JvdGU6Cj4KPj4gVGltZWx5IHVwZGF0ZSB2aWEgSGFja2VybmV3czoKPj4KPj4g IDxoYXJkZW5lZGJzZC5vcmcvYXJ0aWNsZS9zaGF3bi13ZWJiLzIwMTYtMDgtMDcvdnVsbmVyYWJp bGl0Cj4+IHktdXBkYXRlLWxpYmFyY2hpdmU+Cj4+Cj4+IE5vdGUgaW4gcGFydGljdWxhcjoKPj4K Pj4gICJGcmVlQlNEIGlzIHN0aWxsIHZ1bG5lcmFibGUgdG8gdGhlIHBvcnRzbmFwLCBmcmVlYnNk LXVwZGF0ZSwgYnNwYXRjaCwKPj4gIGFuZCBsaWJhcmNoaXZlIHZ1bG5lcmFiaWxpdGllcy4iCj4+ Cj4+IE5vdCBzdXJlIHdoeSB0aGUgcG9ydHNlYyB0ZWFtIGhhcyBub3QgY29tbWVudGVkIG9yIHB1 Ymxpc2hlZCBhbiBhZHZpc29yeQo+PiAocG9zc2libHkgYmVjYXVzZSB0aGUgZnJlZWJzZCBsaXN0 IHNwYW0gZmlsdGVycyBhcmUgc28gYmFkIHRoYXQKPj4gc3Vic2NyaXB0aW9ucyBhcmUgYmVpbmcg YmxvY2tlZCkgYnV0IGZyb20gd2hlcmUgSSBzaXQgaXQgc2VlbXMgdGhhdAo+PiB0aG9zZSBleHBv c2VkIHNob3VsZCBjb25zaWRlcjoKPj4KPj4gIGNkIC91c3IvcG9ydHMKPj4gIHN2bntsaXRlfSBj byAgaHR0cHM6Ly9zdm4uRnJlZUJTRC5vcmcvcG9ydHMvaGVhZCAvdXNyL3BvcnRzCj4+ICBtYWtl IGluZGV4Cj4+ICBybSAtcmYgL3Vzci9zYmluL3BvcnRzbmFwIC92YXIvZGIvcG9ydHNuYXAvKgo+ Pgo+PiBJJ2QgYWxzbyBiZSBpbnRlcmVzdGVkIGluIGhlYXJpbmcgZnJvbSBoYXJkZW5lZGJzZCB1 c2VycyByZWdhcmRpbmcgdGhlCj4+IHByb3MgYW5kIGNvbnMgb2YgY3V0dGluZyBvdmVyIHRvIHRo YXQgZGlzdHJpYnV0aW9uLgo+Pgo+PiBSb2dlcgo+Pgo+Pgo+Pgo+PiBPbiAyMDE2LTA3LTI5IDA5 OjAwLCBKdWxpYW4gRWxpc2NoZXIgd3JvdGU6Cj4+Pgo+Pj4+Cj4+Pj4gbm90IHN1cmUgaWYgeW91 J3ZlIGJlZW4gY29udGFjdGVkIHByaXZhdGVseSwgYnV0ICBJIGJlbGlldmUgdGhlIGFuc3dlciBp cwo+Pj4+ICJ3ZSdyZSB3b3JraW5nIG9uIGl0Igo+Pj4+Cj4+Pgo+Pj4gTXkgY29uY2VybnMgYXJl IGFzIGZvbGxvd3M6Cj4+Pgo+Pj4gMS4gVGhpcyBpcyBhbHJlYWR5IG91dCB0aGVyZSwgYW5kIEZy ZWVCU0QgdXNlcnMgaGF2ZW4ndCBiZWVuIGFsZXJ0ZWQgdGhhdAo+Pj4gdGhleSBzaG91bGQgYXZv aWQgcnVubmluZyBmcmVlYnNkLXVwZGF0ZS9wb3J0c25hcCB1bnRpbCB0aGUgcHJvYmxlbXMgYXJl Cj4+PiBmaXhlZC4KPj4+Cj4+PiAyLiBUaGVyZSB3YXMgbm8gbWVudGlvbiBpbiB0aGUgYnNwYXRj aCBhZHZpc29yeSB0aGF0IHJ1bm5pbmcKPj4+IGZyZWVic2QtdXBkYXRlIHRvICJmaXgiIGJzcGF0 Y2ggd291bGQgZXhwb3NlIHN5c3RlbXMgdG8gTUlUTSBhdHRhY2tlcnMgd2hvCj4+PiBhcmUgYXBw YXJlbnRseSBhbHJlYWR5IGluIG9wZXJhdGlvbi4KPj4+Cj4+PiAzLiBTdHJhbmdlbHksIHRoZSAi Zml4IiBpbiB0aGUgYWR2aXNvcnkgaXMgaW5jb21wbGV0ZSBhbmQgc3RpbGwgcGVybWl0cwo+Pj4g aGVhcCBjb3JydXB0aW9uLCBldmVuIHRob3VnaCBhIG1vcmUgY29tcGxldGUgZml4IGlzIGF2YWls YWJsZS4gVGhhdCdzCj4+PiB3aGF0IHByb21wdGVkIG15IHBvc3QuIElmIEZyZWVCU0QgbGVhcm5l ZCBvZiB0aGUgcHJvYmxlbSBmcm9tIHRoZSBzYW1lCj4+PiBzb3VyY2UgZG9jdW1lbnQgd2UgYWxs IGRpZCwgd2hpY2ggc2VlbXMgbGlrZWx5IGdpdmVuIHRoZSBjb2luY2lkZW50YWwKPj4+IHRpbWlu ZyBvZiBhbiBhZHZpc29yeSBmb3IgYSBsaXR0bGUta25vd24gdXRpbGl0eSBhIHdlZWsgb3IgdHdv IGFmdGVyIHRoYXQKPj4+IHNvdXJjZSBkb2N1bWVudCBhcHBlYXJlZCwgdGhlbiBzdXJlbHkgRnJl ZUJTRCBoYWQgdGhlIGNvbXBsZXRlIGZpeAo+Pj4gYXZhaWxhYmxlLgo+Pj4KPj4+IF9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCj4+ICBmcmVlYnNkLXBvcnRz QGZyZWVic2Qub3JnIG1haWxpbmcgbGlzdAo+PiAgaHR0cHM6Ly9saXN0cy5mcmVlYnNkLm9yZy9t YWlsbWFuL2xpc3RpbmZvL2ZyZWVic2QtcG9ydHMKPj4gVG8gdW5zdWJzY3JpYmUsIHNlbmQgYW55 IG1haWwgdG8gIiBmcmVlYnNkLXBvcnRzLXVuc3Vic2NyaWJlQGZyZWVic2Qub3JnICIKPj4KPl9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCj5mcmVlYnNkLXNl Y3VyaXR5QGZyZWVic2Qub3JnIG1haWxpbmcgbGlzdAo+aHR0cHM6Ly9saXN0cy5mcmVlYnNkLm9y Zy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2Qtc2VjdXJpdHkKPlRvIHVuc3Vic2NyaWJlLCBzZW5k IGFueSBtYWlsIHRvICIgZnJlZWJzZC1zZWN1cml0eS11bnN1YnNjcmliZUBmcmVlYnNkLm9yZyAi CgoKQmVzdCByZWdhcmRzLApNYWlsIExpc3RzCm1saXN0c0BtYWlsLnJ1Cg== From owner-freebsd-security@freebsd.org Thu Aug 11 04:22:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48435BB4A5A; Thu, 11 Aug 2016 04:22:22 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2716C19AD; Thu, 11 Aug 2016 04:22:21 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-226-8.lns20.per1.internode.on.net [121.45.226.8]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u7B4M9th034703 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 10 Aug 2016 21:22:12 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: freebsd-update and portsnap users still at risk of compromise To: Mail Lists , Matthew Donovan References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <1470849104.192073030@f370.i.mail.ru> Cc: freebsd-security , Roger Marquis , freebsd-ports , Martin Schroeder From: Julian Elischer Message-ID: Date: Thu, 11 Aug 2016 12:22:04 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <1470849104.192073030@f370.i.mail.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 04:22:22 -0000 On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: > > > sorry but this is blabla and does not come even near to answering the real problem: > > It appears that freebsd and the US-government is more connected that some of us might like: > > Not publishing security issues concerning update mechanisms - we all can think WHY freebsd is not eager on this one. > > Just my thoughts... this has been in discussion a lot in private circles within FreeBSD. It's not being ignored and a "correct" patch is being developed. from one email I will quote just a small part.. ======= As of yet, [the] patches for the libarchive vulnerabilities have not been released upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created patches for some of the libarchive vulnerabilities, the first[3] is being considered for inclusion in FreeBSD, at least until a complete fix is committed upstream, however the second[4] is considered too brute-force and will not be committed as-is. Once the patches are in FreeBSD and updated binaries are available, a Security Advisory will be issued. ======= so expect something soon. I will go on to say that the threat does need to come from an advanced MITM actor, though that does not make it a non threat.. > > >> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan : >> >> You mean operating system as distribution is a Linux term. There's not much >> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >> vulnerabilities and has a an excellent ASLR system compared to the proposed >> one for FreeBSD. >> >> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >> >>> Timely update via Hackernews: >>> >>> >> y-update-libarchive> >>> >>> Note in particular: >>> >>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, >>> and libarchive vulnerabilities." >>> >>> Not sure why the portsec team has not commented or published an advisory >>> (possibly because the freebsd list spam filters are so bad that >>> subscriptions are being blocked) but from where I sit it seems that >>> those exposed should consider: >>> >>> cd /usr/ports >>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>> make index >>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>> >>> I'd also be interested in hearing from hardenedbsd users regarding the >>> pros and cons of cutting over to that distribution. >>> >>> Roger >>> >>> >>> >>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>> not sure if you've been contacted privately, but I believe the answer is >>>>> "we're working on it" >>>>> >>>> My concerns are as follows: >>>> >>>> 1. This is already out there, and FreeBSD users haven't been alerted that >>>> they should avoid running freebsd-update/portsnap until the problems are >>>> fixed. >>>> >>>> 2. There was no mention in the bspatch advisory that running >>>> freebsd-update to "fix" bspatch would expose systems to MITM attackers who >>>> are apparently already in operation. >>>> >>>> 3. Strangely, the "fix" in the advisory is incomplete and still permits >>>> heap corruption, even though a more complete fix is available. That's >>>> what prompted my post. If FreeBSD learned of the problem from the same >>>> source document we all did, which seems likely given the coincidental >>>> timing of an advisory for a little-known utility a week or two after that >>>> source document appeared, then surely FreeBSD had the complete fix >>>> available. >>>> >>>> _______________________________________________ >>> freebsd-ports@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>> To unsubscribe, send any mail to " freebsd-ports-unsubscribe@freebsd.org " >>> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to " freebsd-security-unsubscribe@freebsd.org " > > Best regards, > Mail Lists > mlists@mail.ru > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Thu Aug 11 10:00:06 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28671BB5AB3; Thu, 11 Aug 2016 10:00:06 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from vm.unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id C1552117F; Thu, 11 Aug 2016 10:00:05 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from Vincents-MacBook-Pro-2.local (lon.namesco.net [195.7.254.102]) by vm.unsane.co.uk (Postfix) with ESMTPSA id 80808301C5; Thu, 11 Aug 2016 10:59:58 +0100 (BST) Subject: Re: freebsd-update and portsnap users still at risk of compromise To: Julian Elischer , Mail Lists , Matthew Donovan References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <1470849104.192073030@f370.i.mail.ru> Cc: freebsd-security , Roger Marquis , freebsd-ports , Martin Schroeder From: Vincent Hoffman-Kazlauskas Message-ID: Date: Thu, 11 Aug 2016 10:59:57 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 11 Aug 2016 11:38:32 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 10:00:06 -0000 For those not on freebsd-announce (or reddit or anywhere else it got posted) "FreeBSD Core statement on recent freebsd-update and related vulnerabilities" https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html Vince On 11/08/2016 05:22, Julian Elischer wrote: > On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: >> >> >> sorry but this is blabla and does not come even near to answering the >> real problem: >> >> It appears that freebsd and the US-government is more connected that >> some of us might like: >> >> Not publishing security issues concerning update mechanisms - we all >> can think WHY freebsd is not eager on this one. >> >> Just my thoughts... > > this has been in discussion a lot in private circles within FreeBSD. > It's not being ignored and a "correct" patch is being developed. > > from one email I will quote just a small part.. > ======= > > As of yet, [the] patches for the libarchive vulnerabilities have not > been released > upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has > created > patches for some of the libarchive vulnerabilities, the first[3] is being > considered for inclusion in FreeBSD, at least until a complete fix is > committed upstream, however the second[4] is considered too brute-force and > will not be committed as-is. Once the patches are in FreeBSD and updated > binaries are available, a Security Advisory will be issued. > > ======= > so expect something soon. > I will go on to say that the threat does need to come from an advanced > MITM actor, > though that does not make it a non threat.. > >> >> >>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan >>> : >>> >>> You mean operating system as distribution is a Linux term. There's >>> not much >>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >>> vulnerabilities and has a an excellent ASLR system compared to the >>> proposed >>> one for FreeBSD. >>> >>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >>> >>>> Timely update via Hackernews: >>>> >>>> >>> y-update-libarchive> >>>> >>>> Note in particular: >>>> >>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, >>>> bspatch, >>>> and libarchive vulnerabilities." >>>> >>>> Not sure why the portsec team has not commented or published an >>>> advisory >>>> (possibly because the freebsd list spam filters are so bad that >>>> subscriptions are being blocked) but from where I sit it seems that >>>> those exposed should consider: >>>> >>>> cd /usr/ports >>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>>> make index >>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>>> >>>> I'd also be interested in hearing from hardenedbsd users regarding the >>>> pros and cons of cutting over to that distribution. >>>> >>>> Roger >>>> >>>> >>>> >>>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>>> not sure if you've been contacted privately, but I believe the >>>>>> answer is >>>>>> "we're working on it" >>>>>> >>>>> My concerns are as follows: >>>>> >>>>> 1. This is already out there, and FreeBSD users haven't been >>>>> alerted that >>>>> they should avoid running freebsd-update/portsnap until the >>>>> problems are >>>>> fixed. >>>>> >>>>> 2. There was no mention in the bspatch advisory that running >>>>> freebsd-update to "fix" bspatch would expose systems to MITM >>>>> attackers who >>>>> are apparently already in operation. >>>>> >>>>> 3. Strangely, the "fix" in the advisory is incomplete and still >>>>> permits >>>>> heap corruption, even though a more complete fix is available. That's >>>>> what prompted my post. If FreeBSD learned of the problem from the same >>>>> source document we all did, which seems likely given the coincidental >>>>> timing of an advisory for a little-known utility a week or two >>>>> after that >>>>> source document appeared, then surely FreeBSD had the complete fix >>>>> available. >>>>> >>>>> _______________________________________________ >>>> freebsd-ports@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>>> To unsubscribe, send any mail to " >>>> freebsd-ports-unsubscribe@freebsd.org " >>>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to " >>> freebsd-security-unsubscribe@freebsd.org " >> >> Best regards, >> Mail Lists >> mlists@mail.ru >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Thu Aug 11 12:17:23 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4690BB31BD for ; Thu, 11 Aug 2016 12:17:23 +0000 (UTC) (envelope-from jshevland@calm-horizons.net) Received: from relay.ox.registrar-servers.com (relay.ox.registrar-servers.com [199.188.203.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.registrar-servers.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F92C190B for ; Thu, 11 Aug 2016 12:17:23 +0000 (UTC) (envelope-from jshevland@calm-horizons.net) Received: from MTA-07-3.privateemail.com (mta-07-3.privateemail.com [68.65.122.17]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay.ox.registrar-servers.com (Postfix) with ESMTPS id DE37FB0162 for ; Thu, 11 Aug 2016 08:13:35 -0400 (EDT) Received: from [10.20.10.1] (unknown [10.20.151.249]) by MTA-07.privateemail.com (Postfix) with ESMTPA id 62FCF6003C for ; Thu, 11 Aug 2016 12:13:25 +0000 (UTC) Subject: Re: freebsd-update and portsnap users still at risk of compromise References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <1470849104.192073030@f370.i.mail.ru> To: freebsd-security From: Joe Shevland Message-ID: Date: Thu, 11 Aug 2016 22:13:21 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 12:17:23 -0000 The HN discussion: https://news.ycombinator.com/item?id=12261347 On 11/08/2016 7:59 PM, Vincent Hoffman-Kazlauskas wrote: > For those not on freebsd-announce (or reddit or anywhere else it got posted) > > "FreeBSD Core statement on recent freebsd-update and related > vulnerabilities" > https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html > > > > Vince > > On 11/08/2016 05:22, Julian Elischer wrote: >> On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: >>> >>> sorry but this is blabla and does not come even near to answering the >>> real problem: >>> >>> It appears that freebsd and the US-government is more connected that >>> some of us might like: >>> >>> Not publishing security issues concerning update mechanisms - we all >>> can think WHY freebsd is not eager on this one. >>> >>> Just my thoughts... >> this has been in discussion a lot in private circles within FreeBSD. >> It's not being ignored and a "correct" patch is being developed. >> >> from one email I will quote just a small part.. >> ======= >> >> As of yet, [the] patches for the libarchive vulnerabilities have not >> been released >> upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has >> created >> patches for some of the libarchive vulnerabilities, the first[3] is being >> considered for inclusion in FreeBSD, at least until a complete fix is >> committed upstream, however the second[4] is considered too brute-force and >> will not be committed as-is. Once the patches are in FreeBSD and updated >> binaries are available, a Security Advisory will be issued. >> >> ======= >> so expect something soon. >> I will go on to say that the threat does need to come from an advanced >> MITM actor, >> though that does not make it a non threat.. >> >>> >>>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan >>>> : >>>> >>>> You mean operating system as distribution is a Linux term. There's >>>> not much >>>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >>>> vulnerabilities and has a an excellent ASLR system compared to the >>>> proposed >>>> one for FreeBSD. >>>> >>>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >>>> >>>>> Timely update via Hackernews: >>>>> >>>>> >>>> y-update-libarchive> >>>>> >>>>> Note in particular: >>>>> >>>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, >>>>> bspatch, >>>>> and libarchive vulnerabilities." >>>>> >>>>> Not sure why the portsec team has not commented or published an >>>>> advisory >>>>> (possibly because the freebsd list spam filters are so bad that >>>>> subscriptions are being blocked) but from where I sit it seems that >>>>> those exposed should consider: >>>>> >>>>> cd /usr/ports >>>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>>>> make index >>>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>>>> >>>>> I'd also be interested in hearing from hardenedbsd users regarding the >>>>> pros and cons of cutting over to that distribution. >>>>> >>>>> Roger >>>>> >>>>> >>>>> >>>>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>>>> not sure if you've been contacted privately, but I believe the >>>>>>> answer is >>>>>>> "we're working on it" >>>>>>> >>>>>> My concerns are as follows: >>>>>> >>>>>> 1. This is already out there, and FreeBSD users haven't been >>>>>> alerted that >>>>>> they should avoid running freebsd-update/portsnap until the >>>>>> problems are >>>>>> fixed. >>>>>> >>>>>> 2. There was no mention in the bspatch advisory that running >>>>>> freebsd-update to "fix" bspatch would expose systems to MITM >>>>>> attackers who >>>>>> are apparently already in operation. >>>>>> >>>>>> 3. Strangely, the "fix" in the advisory is incomplete and still >>>>>> permits >>>>>> heap corruption, even though a more complete fix is available. That's >>>>>> what prompted my post. If FreeBSD learned of the problem from the same >>>>>> source document we all did, which seems likely given the coincidental >>>>>> timing of an advisory for a little-known utility a week or two >>>>>> after that >>>>>> source document appeared, then surely FreeBSD had the complete fix >>>>>> available. >>>>>> >>>>>> _______________________________________________ >>>>> freebsd-ports@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>>>> To unsubscribe, send any mail to " >>>>> freebsd-ports-unsubscribe@freebsd.org " >>>>> >>>> _______________________________________________ >>>> freebsd-security@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>>> To unsubscribe, send any mail to " >>>> freebsd-security-unsubscribe@freebsd.org " >>> Best regards, >>> Mail Lists >>> mlists@mail.ru >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >> _______________________________________________ >> freebsd-ports@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"