From owner-freebsd-security@freebsd.org Tue Aug 9 20:10:16 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12248BB45C4; Tue, 9 Aug 2016 20:10:16 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EAB3D1921; Tue, 9 Aug 2016 20:10:15 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 9 Aug 2016 13:07:37 -0700 (PDT) From: Roger Marquis To: Martin Schroeder cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: freebsd-update and portsnap users still at risk of compromise In-Reply-To: <8d52c11892db36d5041f7fa638e46681@vfemail.net> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 20:10:16 -0000 Timely update via Hackernews: Note in particular: "FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, and libarchive vulnerabilities." Not sure why the portsec team has not commented or published an advisory (possibly because the freebsd list spam filters are so bad that subscriptions are being blocked) but from where I sit it seems that those exposed should consider: cd /usr/ports svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports make index rm -rf /usr/sbin/portsnap /var/db/portsnap/* I'd also be interested in hearing from hardenedbsd users regarding the pros and cons of cutting over to that distribution. Roger > On 2016-07-29 09:00, Julian Elischer wrote: >> >> not sure if you've been contacted privately, but I believe the answer is >> "we're working on it" > > My concerns are as follows: > > 1. This is already out there, and FreeBSD users haven't been alerted that > they should avoid running freebsd-update/portsnap until the problems are > fixed. > > 2. There was no mention in the bspatch advisory that running > freebsd-update to "fix" bspatch would expose systems to MITM attackers who > are apparently already in operation. > > 3. Strangely, the "fix" in the advisory is incomplete and still permits > heap corruption, even though a more complete fix is available. That's > what prompted my post. If FreeBSD learned of the problem from the same > source document we all did, which seems likely given the coincidental > timing of an advisory for a little-known utility a week or two after that > source document appeared, then surely FreeBSD had the complete fix > available. >