From owner-freebsd-security@freebsd.org Tue Apr 6 08:39:52 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1D4195C4CD5 for ; Tue, 6 Apr 2021 08:39:52 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF1DR2kQwz3lQx for ; Tue, 6 Apr 2021 08:39:51 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ed1-x532.google.com with SMTP id o19so15535603edc.3 for ; Tue, 06 Apr 2021 01:39:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Ubv6ONoVi6YkVpU11qFmDJExclLW1AtiKQp3pcgdiQU=; b=ezyfKF1vQo7HqPvF2MpAyvMg0r8wi6iGXCDSE/QP/GYm/NGD9cut+EQMXfA4e9Wd1/ 2HCPAvsLtvriJeDB/W2Efyrlw2qcyajWDjIaZxF6Yn3oquszgQFaGMFRsdWApOxnc9ds fF2s717YKBXvBgt/KweuFECXivJH6BeOV9Hfqn6f+bh9Enq87oj/NXbwit5ZWGjNxUnb pbZSzWpoSve4QqPvN0MZlj1JpYg9+9vyLyzZHA6wC3ZsLCo1PFW5DlGiXyZClmEaMNiG VG1fj9ZcQfrXUatR8RPNFMRlksFq2/JebwWxTk9fGKTlhPOIQn22GPtS0hZTMHnIfcJj wUDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Ubv6ONoVi6YkVpU11qFmDJExclLW1AtiKQp3pcgdiQU=; b=ER+9B0gREUQSYIl5U1uxuNMbMz9sgM0H3o0LbtTOV4xN+h9O74Ejzef3nBUVFSA17X reJSnztOUv4DeoMPt8p9rHDJ46Fb5kFdqfHTKxf8mQFNbI0mP5fhnj70ino9N5C/7yyg rCdmpDWhIlTBwKewnvFkGGoQUJSYl8Bub7QcBRyx2UFRCi8Us4c+rkFWNi64en+DdCYv nDRTs3vFvQgMIHKS5lCTKWubRyst+M2oO+3l+jIXxAeJbBSxsblOhG/bbAV6lugQT3Fx 0a41sCc57+v6Y1CNCxaibC1ul+/viM/2mwuBRrtJBbfPHRhTRnslFcVbLjLcbDvJ9qkC Cy8g== X-Gm-Message-State: AOAM532shUPB7G17MPKTzkVfb/aWyOD6rxVCcvuT3aI+VL1maCZg4jP4 2zdX/NI097pTx8npqz4brpOUpeuxyncmookI66ynFqHA8MpuSA== X-Google-Smtp-Source: ABdhPJwaq5kaTU7sCLKONIcFkSrCY0hPrJEWRKLa13Z3OTUv4u/zY0B+2U0NCcHwFVqXYU83gvxUWUJAaz/4AyiQn/A= X-Received: by 2002:aa7:c4cc:: with SMTP id p12mr35620271edr.325.1617698389652; Tue, 06 Apr 2021 01:39:49 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab4:8fc9:0:0:0:0:0 with HTTP; Tue, 6 Apr 2021 01:39:49 -0700 (PDT) From: grarpamp Date: Tue, 6 Apr 2021 04:39:49 -0400 Message-ID: Subject: AMD: Predictive Store Forwarding PSF To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4FF1DR2kQwz3lQx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=ezyfKF1v; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::532 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::532:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::532:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::532:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 08:39:52 -0000 Shouldn't this get a kernel option, sysctl, test app...? https://www.amd.com/system/files/documents/security-analysis-predictive-store-forwarding.pdf AMD advised customers last week to disable a new performance feature if they plan to use CPUs for sensitive operations, as this feature is vulnerable to Spectre-like side-channel attacks. Called Predictive Store Forwarding (PSF), this feature was added to AMD CPUs part of the company's Zen 3 core architecture. From owner-freebsd-security@freebsd.org Tue Apr 6 01:11:34 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A37695CCAD4 for ; Tue, 6 Apr 2021 01:11:34 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FDqH96Hvhz4XTY; Tue, 6 Apr 2021 01:11:33 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: by mail-lf1-x135.google.com with SMTP id 12so19954587lfq.13; Mon, 05 Apr 2021 18:11:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=wJdtbya0eA/aM0rupswysvG4prEKSh9CP5PAzurLChM=; b=IVrjGJ2LufQxhfMzg564rMZT86mgBk9ra6m4kiaY7AhL9eKV2fP/ggzgAGfXQL4VtD Jt478B3cvf8BRfeoTMF3muxHil65AogC3jltgm0Ni1xYUD059vFMixw9k1qKrrLyvrO9 CshKUOma/81kkjoDO0RmJsnPZAEQw3WMRMwhP0ycVXsKz0eFwIcCow6cg1s05iVYI9c/ rGLEHzCSIIem1ekJPO7tHOrAhhKh6hM4lKtDBK2L/LboyGhRd4eiyCVeOYYjAXnWKsIe n8CK5zY1ouMep5XXFfOFqefvEZMo5lc0kl1exh4bJoZLToF8vzldbQVPuWmKRohI5ZW/ Su+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=wJdtbya0eA/aM0rupswysvG4prEKSh9CP5PAzurLChM=; b=ROoEVOvUoVTyySOIux80J3YvbtcpWydaHIs+IWmmNjsYmKWhW9UvcYZN8mn5bsmMXg BXsJQ5x8PN9BQoS2GvynLKH4QoljPHbSs3vmCDrOVTlYrkTk/TsXIOCb8HIH6/swtMJI yaTck1FADLdwzC6Zr7pVD+wTiYdsB2v11SX8Fm07uo8Fx/DzaY/2K/05LNIIw9qC/QaP H70T81Rp+3TPk+H8nnXTKzxvNQtzU/Cxl57zjlHFCBFc4g9+y2xHM6gRM9zFjHXto6XS EPjUgT6PmP2m6rC96iizJe6tMdZt7agiSVk9nYexsVMlojkVjUNuCg1CKSUZF86IlFjs PmZg== X-Gm-Message-State: AOAM5319zbO5UNwQiko4o6aE0dCywR9m/7yQ95Q/rFl5ADVW5qM5lCf9 FFE5YFeg1RAnHpZ1z1/jXHp+TGEPM0KRu77Oj0y2+uuG X-Google-Smtp-Source: ABdhPJxBa6eYjPf5ZsAPy3qtbqx2tITsBHMlYplvfupLZ9d/HSMUxeaTf1yPwIgmZKqL0xRtNvG81PAUS9kSDPFdaIQ= X-Received: by 2002:ac2:5e26:: with SMTP id o6mr19681735lfg.355.1617671492422; Mon, 05 Apr 2021 18:11:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:8199:0:0:0:0:0 with HTTP; Mon, 5 Apr 2021 18:11:31 -0700 (PDT) From: Stefan Blachmann Date: Tue, 6 Apr 2021 03:11:31 +0200 Message-ID: Subject: Security leak: Public disclosure of user data without their consent by installing software via pkg To: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4FDqH96Hvhz4XTY X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=IVrjGJ2L; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of sblachmann@gmail.com designates 2a00:1450:4864:20::135 as permitted sender) smtp.mailfrom=sblachmann@gmail.com X-Spamd-Result: default: False [-2.35 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::135:from]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_ALL(0.00)[]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::135:from:127.0.2.255]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_SHORT(0.65)[0.654]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::135:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Mailman-Approved-At: Tue, 06 Apr 2021 08:51:39 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 01:11:34 -0000 Hello, I had a very distressing experience today. I installed a package to view its scripts (and *not* to run them!). I was shocked when pkg told me that my system configuration, including which packages and their versions are installed on my system, has been sent to an external entity, without asking for my content. This is a security leak as well as a breach of EU data protection rules, but above all, it is a breach of trust of the unsuspecting FreeBSD users. Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 And read my experience in this and the following forum posts: https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430 If this does not get fixed in short time, I will contact ArsTechnica, TheRegister and some other reputed IT news outlets, to create public pressure to get the issue resolved. So please get this fixed and report back. Sincerely, Stefan Blachmann From owner-freebsd-security@freebsd.org Tue Apr 6 14:27:37 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B70D5D3223 for ; Tue, 6 Apr 2021 14:27:37 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF8xj3j8xz3Fj4 for ; Tue, 6 Apr 2021 14:27:37 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk1-x72a.google.com with SMTP id c3so15097012qkc.5 for ; Tue, 06 Apr 2021 07:27:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=ffmb/7IQBZ2id5Pa3B4GkQWAAK3j+zfKEZhl89jqXH0=; b=Gn0GeIJeoRA5rHzrkVc81//2KAqyFvbBkCYThAUuldTOrMAvKbveGHlyLB+9pA+DU6 e7MvLyYNGyerq8Zy8ePZxUlLmB11pNXfvcUhp+jdgq8OMGCUhdvLhSzs9rQHn0Itt11F KEQSKAk6CEJzpa+fMa34oFbl1MEbthXSV4Ag/SmvO+VQoGfcfMMaozBOfxICAfP4R7Oz JZZpaCqgXhGnkW1O+LyPyXHCYYuP+jE22K9ExE/TTCZAq0u7AgzxdvMbc823sWHvsjee /wsOnuocfM7Xu+eUkXigCut9k9Tmggztg4Fh40++gcB8m13zfqwyKaSE4pL+QkHmmG3T cl+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=ffmb/7IQBZ2id5Pa3B4GkQWAAK3j+zfKEZhl89jqXH0=; b=WqTyCPHhI6tvMdyNFUssBcpQJe2ii4Wqq9TCMyyTTDpCbgc71D3yNnZVHFLaMpSSun VfxEK7vGRFCxRZ0Lb7Bv152vZEcJPRumhAP3+tr8zB+AOVB7TBvoJ4u6DbwOv4XFPeZ3 o8Kn9cBEslil6ePc651+6BbL+Ecmi27MLCOfAR2iazvxkLOu5lqcM2ZD43goomRO/Pj3 FUKlWI635gzwykFG5pfefstW7sR5aNACyQ78kJ158XyCD7vaDQK9gmTXUzcIe1Y2ZU9t 0i0A+SNQmA3S3nzXagXkokyTG+w4jQN7iuFei41gf2TJKNIcGHtBIShi5he1m1PaYLUQ 0Wsw== X-Gm-Message-State: AOAM5314ZBKzQ3KT/AkbCrx1clvLX/88bbKPt31qHxwqpSLuQD5Vf2YY BAZ0w1E4Ve7FFUHQ3Nxum2a1kA== X-Google-Smtp-Source: ABdhPJwxZMbBS77s55GIPb7aJ+Y9juGbyVAU9s1Giv7HYEdeT3x9NeCcVpZNVa1/j6WTrL3/preMmg== X-Received: by 2002:a05:620a:1528:: with SMTP id n8mr29467540qkk.329.1617719256234; Tue, 06 Apr 2021 07:27:36 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id m16sm15747276qkm.100.2021.04.06.07.27.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Apr 2021 07:27:35 -0700 (PDT) Date: Tue, 6 Apr 2021 10:27:35 -0400 From: Shawn Webb To: Stefan Blachmann Cc: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mhc3sfjligbmwixk" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4FF8xj3j8xz3Fj4 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 14:27:37 -0000 --mhc3sfjligbmwixk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote: > Hello, >=20 > I had a very distressing experience today. > I installed a package to view its scripts (and *not* to run them!). >=20 > I was shocked when pkg told me that my system configuration, including > which packages and their versions are installed on my system, has been > sent to an external entity, without asking for my content. >=20 > This is a security leak as well as a breach of EU data protection > rules, but above all, it is a breach of trust of the unsuspecting > FreeBSD users. >=20 > Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 > And read my experience in this and the following forum posts: > https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitan= ts.79669/post-504430 >=20 > If this does not get fixed in short time, I will contact ArsTechnica, > TheRegister and some other reputed IT news outlets, to create public > pressure to get the issue resolved. >=20 > So please get this fixed and report back. 1. BSDStats isn't run/maintained by the FreeBSD project. File the report with the BSDStats project, not FreeBSD. 2. You install a package that is made to submit statistical data. 3. You're upset that it submits statistical data? lolwut, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --mhc3sfjligbmwixk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBsb9QACgkQ/y5nonf4 4fqJKw/+Ka6325Pk6m4RZpdXLjkqYsIliPqPnK1eYFS+I0tBQbZTf4w8T/mRM1nQ j31dirVLvIuac2/VWlQTMKNWmpshLgC/gcu6CdSPj+LF0Uc6s0N/uzTMFa1ZP2Un +BcXHO3GHkx9PgiPLmlD/zvNQEwik5X1zhI6vxQOnUuGNF+wvcq3e0H1+lpVF9B8 3QJgbLT+5mlrV9HPWZo0xaDGSa7xTMtaai7E+tHWHnvG2ShMSORIWA+aZ355g2ol PdiJs+e5qroG0O9OYGc7+9AsWau3Z8HqD7fJhHBPuT6JUW15+M8InVUj7S6uDTh7 eFJY+GuBu0HkZe6k8tNQuGI/In+iQoDbGAQiWX8Q1kuLiYSO0B8OmJDkL7ZxAt7c O6+U7gXanpKL8hoUikOUxfblH6Jh8HpGZ0WMd+JAIMwNEuGb7cVtvsTcZ0MFx+j8 GPDoSEZ9FoFqXlzjDtEJgShTVAYpG0k+ftLFkMgezebMja8OK0hAMqN9v1KlFJYp xwMgI0EiZh7k3h7XaylGd7uP6+wSjizp/Oaj8lZhZJaXnt0Y3Rokom1M0Xw8Vv9u 9As9uoI53F3RsJzNGp95D1oxHREcldFqhcQos1XYPb2WfWH3kQKwXVZiWVy7FvsH wM0dBCmMHXTzq8KxgfbnXF9+U8Sh4TWhkOrLvyky+WHq+jGUpnw= =+cPv -----END PGP SIGNATURE----- --mhc3sfjligbmwixk-- From owner-freebsd-security@freebsd.org Tue Apr 6 14:39:45 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B23A05D35FF for ; Tue, 6 Apr 2021 14:39:45 +0000 (UTC) (envelope-from SRS0=/AfJ=JD=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF9Cj3zYCz3H3N; Tue, 6 Apr 2021 14:39:45 +0000 (UTC) (envelope-from SRS0=/AfJ=JD=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BF2B728416; Tue, 6 Apr 2021 16:39:42 +0200 (CEST) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id C35B32840C; Tue, 6 Apr 2021 16:39:41 +0200 (CEST) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Shawn Webb , Stefan Blachmann Cc: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> Date: Tue, 6 Apr 2021 16:39:40 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FF9Cj3zYCz3H3N X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 14:39:45 -0000 On 06/04/2021 16:27, Shawn Webb wrote: > 1. BSDStats isn't run/maintained by the FreeBSD project. File the > report with the BSDStats project, not FreeBSD. > 2. You install a package that is made to submit statistical data. > 3. You're upset that it submits statistical data? The problem here is that it collects and sends data right at the install time. It is really unexpected to run installed package without user consent. If you install Apache, MySQL or any other package the command / daemon is no run by "pkg install" command. This must be avoided. Kind regards Miroslav Lachman From owner-freebsd-security@freebsd.org Tue Apr 6 14:42:28 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BCD9D5D39AB for ; Tue, 6 Apr 2021 14:42:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF9Gr4dpsz3HXv for ; Tue, 6 Apr 2021 14:42:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt1-x831.google.com with SMTP id f12so11312829qtq.4 for ; Tue, 06 Apr 2021 07:42:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=pQZqTF5q1ehuHX5OVWNTajrQi9zFnKTgjg0DO9ClHd0=; b=YkYcZBfiUWIYVLXRvVc2oFjZU7BRPZIbJnlsUsy1tvP34P6pxEQ1hIOV3ZejnQTKq7 zW9cciRWBK8JXygD3sOIARG8rgVnozjpTTV8i3jzxdJmmZ1vKTaCCMA3Z/TuWkQFP8Sa 6UhRdCAfZ/ypxecvuurCI7C6gWZguytczDjSu2T03ncDgeqP/ZPadx8qG7p1d07YZVUf DipS3YfV0fmQB1atD+bN3Mv/LdecqAAPxSJGf6uQgvN3qLzEh2ddU64igmMlJeOcgYen QJAOatqoP7UxEAOu7QfnpJxf7Wbq64O0OG2Y+R/yzc5fLEMDFMjcsmi1HRB/dE5Enr7M lPrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=pQZqTF5q1ehuHX5OVWNTajrQi9zFnKTgjg0DO9ClHd0=; b=gR/YM1PEQO2ZHUaZW2wqmXTEwhpUORh2ZJ3cMSOHRyjQaL5DhAh5sfkfaemHbAuucX XmwFwULuaxViTZSd/KNUsWNTVKs6EwYjqD+cB9uoJJddcNziDjVx60fA4uZqZeTamIxV g/by95IktPWQcP5RNSuMcOG+a6+P+B/Bed1ZkFywF3Uh/7Bfx6NyVcn48FSYJSDdo8E+ ITRSSZ2IYi4eJsoJUnCt8elmMS574BQjhfQHLbUqOqHbiW4zwbb3vqvgNDbYcFHYMVe3 IQ0Av3iHHjovPg2rD3f/fhVIMqBqBCRamHSTuP4rVP0Pm3wSIk1eErkqgunVRRkasHbR IsUQ== X-Gm-Message-State: AOAM5314lXVh3a/pOxEs7hN1rqzmJXA8Vt61yo1WH46teAxSkESFneo5 fvqlHS8p3d/Bcz4pm0wfPvlRuQ== X-Google-Smtp-Source: ABdhPJxvGj0WgXisjEFlEZIc0D1pKS8RNmdCvZIm35WbecdDXgRWaypEqKOympeoBMrTS9FW/fM5+Q== X-Received: by 2002:a05:622a:250:: with SMTP id c16mr27170347qtx.7.1617720143769; Tue, 06 Apr 2021 07:42:23 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id a207sm16298762qkc.135.2021.04.06.07.42.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Apr 2021 07:42:23 -0700 (PDT) Date: Tue, 6 Apr 2021 10:42:22 -0400 From: Shawn Webb To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Stefan Blachmann , secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="kuc4mvvoitpyxpio" Content-Disposition: inline In-Reply-To: <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> X-Rspamd-Queue-Id: 4FF9Gr4dpsz3HXv X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 14:42:28 -0000 --kuc4mvvoitpyxpio Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: > On 06/04/2021 16:27, Shawn Webb wrote: >=20 > > 1. BSDStats isn't run/maintained by the FreeBSD project. File the > > report with the BSDStats project, not FreeBSD. > > 2. You install a package that is made to submit statistical data. > > 3. You're upset that it submits statistical data? >=20 > The problem here is that it collects and sends data right at the install > time. It is really unexpected to run installed package without user conse= nt. > If you install Apache, MySQL or any other package the command / daemon is= no > run by "pkg install" command. > This must be avoided. It's probably easier to submit a patch than it is to write a lolwut-type email. All you gotta do is rm the post-install script. Also `pkg install` has the -I option. But whatever, let the lolwut mentality prevail! --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --kuc4mvvoitpyxpio Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBsc0sACgkQ/y5nonf4 4fqf9A/+N3zIoFFvA93nviRicCK4h82oq/jB0HFEQDGdPscC0jpvZSwh/ekTragQ iwoItzV/yT8AbyE5xFGKBUelQKvn8VeNPCR6swuJVH+gqnYNlmtZQ5tYeVmrSVA/ BhuK+dYx11x1sQG19gUSp/abJHEh6kSNeGWx1QqKS+PHi75tqb7LdJ5J5Upy3CrV RWPgFePrjLHBw3JOQO1+Q7NXQETgYy0dU7qH1WflEVDieHTiwOdXC4CNy4MfoD1+ GO3tJi6XUuWi1X0U6vMqskwcp2kMNg1E5Mg4HTcgZKkUd3MVVuymbBmpNDeVaFD5 oyj163FeuEcYvL+ZgUfMD7JKmV1gM9+v/jY/fjIg048nbcgEab+B1BoXd6BYulDt bil7qIygSIolrnfWIXhTyXUJxPEXf0MKm+4DcpIQuUwYbh8V4mXfYTba2FfLUbLY bHG+ZYl5JEww6iOIs3HNrM6vSXOXPy2dLgf4kf03U4o8wI5FLl91Yfsn5KlStFTT v2YLboq+lVOGJ1FqVF0BRTBgv01PIVrxd2Jupi8hPbXOW9VydFS7uiDro0eBLUYI Dc/Z8SMfVd3qRmv1aYm5i/wt+P7NQJqedNeJjUZNYYe4iE0icns+qvqDHam0tV8A MSrgwWilyw4eVMdOMaKhD8W5uVCcudVA0PjeskuLqU7eQnIYHw8= =8vrO -----END PGP SIGNATURE----- --kuc4mvvoitpyxpio-- From owner-freebsd-security@freebsd.org Tue Apr 6 14:56:24 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 414EC5D438A for ; Tue, 6 Apr 2021 14:56:24 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF9Zw11Ztz3JpB for ; Tue, 6 Apr 2021 14:56:23 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pg1-x52e.google.com with SMTP id p12so6535612pgj.10 for ; Tue, 06 Apr 2021 07:56:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=z55sbsppjcoIdpBXG0F12Lhun6Sqe0BprTPdDfM99Uk=; b=lXjsT85FFMy6niF0uvhbYZKvwe2A2pXeVijowz1SZZLOcu/FPXOS3WXwUcI5dv8sMw beKAbXaKz9AzJApPeFb9uiKOVDA9CT5aORkmZuooAxKxwwztyxIPbp/XXjtq1ZrNMRYB 6xIlZndVkFfsu70He855IRjb79AicMwv88ywoAEAIpfudtFAgyXDESdqHdT5dA7OHR37 DLxfWguDPSMcfjeA6qQ1I0cbNb6XnigYmZrm1iVMQ/ZGa2+2Ab7fOks3A3eAsBytaPRw VRz9tW3hKT8KIGNdF6C2Y13nSm3CDogpQdPi+IqHk6oXS8HxaUSIJRH+PoFFHfE3tSkl 7QgQ== X-Gm-Message-State: AOAM530aTy4DHd0/w+AWqVLLQKcGfh6HuB0+kTLQCtd7h/0k72APu1R1 Pyqk7vXYzk1Iirjej/uuKeY/ X-Google-Smtp-Source: ABdhPJzB2Wi6e5fziD1sueLJQdgZKpYYlaAadw6K2TyItYQnvvN2bR919H/xegkESfdIJlXWhoI2+A== X-Received: by 2002:a63:1a47:: with SMTP id a7mr27350119pgm.437.1617720982496; Tue, 06 Apr 2021 07:56:22 -0700 (PDT) Received: from 2603-8001-5e40-d300-1575-8f2c-6280-e746.res6.spectrum.com (2603-8001-5e40-d300-1575-8f2c-6280-e746.res6.spectrum.com. [2603:8001:5e40:d300:1575:8f2c:6280:e746]) by smtp.gmail.com with ESMTPSA id z23sm18809243pgn.88.2021.04.06.07.56.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Apr 2021 07:56:21 -0700 (PDT) From: Gordon Tetlow Message-Id: <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> Content-Type: multipart/signed; boundary="Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Date: Tue, 6 Apr 2021 07:56:19 -0700 In-Reply-To: <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> Cc: Miroslav Lachman <000.fbsd@quip.cz>, Stefan Blachmann , FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org To: Shawn Webb References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FF9Zw11Ztz3JpB X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 14:56:24 -0000 --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Apr 6, 2021, at 7:42 AM, Shawn Webb = wrote: >=20 > On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >> On 06/04/2021 16:27, Shawn Webb wrote: >>=20 >>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>> report with the BSDStats project, not FreeBSD. >>> 2. You install a package that is made to submit statistical data. >>> 3. You're upset that it submits statistical data? >>=20 >> The problem here is that it collects and sends data right at the = install >> time. It is really unexpected to run installed package without user = consent. >> If you install Apache, MySQL or any other package the command / = daemon is no >> run by "pkg install" command. >> This must be avoided. >=20 > It's probably easier to submit a patch than it is to write a > lolwut-type email. All you gotta do is rm the post-install script. > Also `pkg install` has the -I option. But whatever, let the lolwut > mentality prevail! I had a conversation on the side with the requestor. In short, there is = already a patch to address this issue in = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 = . Not sure = why it hasn't been committed yet, but hopefully it gets picked up = shortly. Gordon --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmBsdpMACgkQ5fe8y6O9 3fh8Bwf6AzhluVmpBSM0xzMj92SJFPjKoJGUbQZr26W+yQiosUg4798OexCZ6wse iFrEykkeK6QbkfHqrRojxzmQGQR0au903RA/U5UpYlatMqWYpoeijHc419/dnmXw 33IXcgJb4wBrSonQ7lhGlidD35wDzqHjESqfsgIkwTjUxGItbeUy9Yzh9F9W8OoR DLWWdlJdIEGBChjr4P35+RgLSU8ylJrQwjdRkldfHHm2mn8P1fyqnmmRfX7xsWyD fusBofOIDERAeqbuYiu1yCB0BjmG2lUUWIZ517Ou2Gr7HRD7DbPa/W2vRanc2N5I J2xg3Wy39Xdg7lxruPjhl8R9XqIP9A== =0UGI -----END PGP SIGNATURE----- --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A-- From owner-freebsd-security@freebsd.org Tue Apr 6 20:22:58 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3D87C5B7B62 for ; Tue, 6 Apr 2021 20:22:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJqk0ybzz4m8b; Tue, 6 Apr 2021 20:22:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740578; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kbW6A4afUkFferrB8F8Jh7KYshQkn2d6KLouF+QowWI=; b=knGDBjXxCdsh28yfPBx4luLc8yWlsvNXDKbUs3EmuN91s4lURgUeurV/DC4UN8PWf7MzRv FxfsAJwvfpoX75f3+EZG8csxOZrSZy5qu25w2CAgt25hzzszWOfemuCAHXDO1RkOTk/Xrh ySSNIdjY1lUZuKAnmpnOJELz/osGmxOtRHZjIz4gdXETn3Nm+DmFLP66/0fEKdqBOSEL7E TDlVvooWaDD6MwlSx7LexhBfbaOrlHYQ4FU1Po8vsdeya6Ok2vRykAe1H9PNxKOAZtzQLa D6P4kOPxu+trRwBxPkCiEu1nB72I66lwMqvm/T2ksZ187d1HcDswQk2gbw1azA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1642E15C4A; Tue, 6 Apr 2021 20:22:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:08.vm Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210406202258.1642E15C4A@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:22:58 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740578; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kbW6A4afUkFferrB8F8Jh7KYshQkn2d6KLouF+QowWI=; b=A7626wVcx/8SwfQhMm5CnWflX0M25+sorkSTRaDYCuh3WjiD9n8J5GQO1vauL9HLAFYaZ7 bIfLfuqhAAGAajePKCsQJrSXSq4q9dG+HBNdpHLfYAw+yURaDQLEQIEWVxtAWKoaLuV3rR nBQMsc7ndQan+ECDJjoct8Isj19XrV+2CHPED8eJSVxuMqcC9zDL9NbuQJD39Ag5fJhz/5 sVUp3kN67trUL/ygTv/TDmHbaLepwGsNB1wPfkPsVXjNi/shL+AXlNqOVS9UczaYQ5cRK+ GxIQ5Eyqm2z49Q0iw6R5mc4C1m/XodoX0ToZHvUvyJkusizMZPOV1ULWVd2JxA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740578; a=rsa-sha256; cv=none; b=m0/pyVdqeh6ij5J1e4YYc8bSO+rP5wMiTATa5c2ATzMDSlkZigU/j5ruIImgGESN1rIdYi Y++6wP2yuG80iD+fdFARtdnjDeqprDQKPtYP0G7R5G7fjP/ioSgYhSlpKmme5Wy5+HI//i 0vKPwqqVmzn7n8XbCu4ODsDJFeK/MlGCgFnrKjlnayPn6blB5qoD8JJ/HVlF3VHtZGfanj rBgPsib4jrxSm6KOrd3CBVPV4kZXJQeUd/82VSqF6s74Hc70mHVEO+9CNkOCZSAP+j2aIt 96e48JFbDrgyWob+0zcwMdHYlAZEyeCMJq0lB7yxmBfDAX5VWMGJ/TsI6BanAw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:22:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:08.vm Security Advisory The FreeBSD Project Topic: Memory disclosure by stale virtual memory mapping Category: core Module: vm Announced: 2021-04-06 Credits: Ryan Libby, Dell Inc. Affects: All supported versions of FreeBSD. Corrected: 2021-04-06 18:50:46 UTC (stable/13, 13.0-STABLE) 2021-04-06 19:18:49 UTC (releng/13.0, 13.0-RC5-p1) 2021-04-06 19:20:46 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:30 UTC (releng/12.2, 12.2-RELEASE-p6) 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE) 2021-04-06 19:22:56 UTC (releng/11.4, 11.4-RELEASE-p9) CVE Name: CVE-2021-29626 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Memory mappings shared between processes are a feature of the FreeBSD virtual memory system. They may be established by unprivileged processes with the mmap(2), fork(2), and other system calls. II. Problem Description A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose. III. Impact An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch.asc # gpg --verify vm_fault.13.patch.asc [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch.asc # gpg --verify vm_fault.12.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch.asc # gpg --verify vm_fault.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 2e08308d62f3 stable/13-n245117 releng/13.0/ 724bc23da1a9 releng/13.0-n244728 stable/12/ r369551 releng/12.2/ r369556 stable/11/ r369559 releng/11.4/ r369561 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing HHHHHH with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n 5cJ0Xw/+JFP6UKPMxcYwmAmIoDS5YAsUzuDVQNooZzOQiltyVqPrHD3Dh/32+Tm3 W6yeITNcnUbVhFBPli3x0pHldCCcj1JQNtzUYcS/DKNvD2LxjB4bhiiE0YHImaP9 JWOMoc5rNYpOl4iKK5DZkQAxZsHu1zFSVt+0O/aL70bDCYupsslWBbRRkxgkeShW wGFhSMhlJ1QnnygzsICbyK5GP4XYqfAWZ5dviznNcZLrOifCLG6HNxixfOG/vf33 yZzwA7RSNpOyULC1AYmUqiEZWgABL63hOIiraD0sASteBhMY/DCjq/QLZKsaONsp FYemSTnW1hs1MVfTm4ecwgZJEJf8bV7cQXrxA3bLJmRoN9CcTGHDQCjFKHvMVXSe qU/n+CICO6Ly8nTmL0xYjpJLEQaQfC/98hXk2otpgIia8r5Gn1MOwooTdN+KWlfA LHzuP0Wf5NIjo1QkbbBRUSfCjV+dbGzRxgCYTGj1dN+XbR0uxeVtWeKXU3WaDIYI 6sT3L41yUBvEce7h/449RunNjRb5nuWczh3YTIzqDA3dEStLPKxlzL790M8TId6e XE+YclkxSTNMuxvCEw/vDJB4bZ2eOQ6noSzfrUqxjGnbtcuYP/RJGc3XrVZpiXbY u+OuE4Owve9e/sNCRqZeEQ2CHnntCdji0sk/CAlbkHcdHYPbunI= =rC4V -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Apr 6 20:23:03 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7FDDD5B7E6B for ; Tue, 6 Apr 2021 20:23:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJqq2T55z4mDx; Tue, 6 Apr 2021 20:23:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740583; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=aKPBCAdH58TZbfUz8JJC1SuwaaFIQwWNCbZtbNJCSJ0=; b=Gzu58fg2wx6RDoo57dBZGB3XGrKlxWDg5CB/zjK6YvZQ6WCR8SwZRwRxQsTP5EyqwhkRN1 l+OkRcAk9jiBsoYRyXeRO8bfaYJB83Jff1cf8yD8mjRjTydvLnnyVPAGzo6ZvV9RlCDy25 OQ2cSH4wCc9ZYo5yJ8OwXIBQIpxfUZyIZwkudFLLu68uBiU5AuTo7pQK03bmyDSO7+ttec 9ctpNGkK0L9o1EIcDAAqjCj02+3bQMNv9mhw7v50QtXiXELLrwjhPeSEzFYCm9vDqXAlIM 7kRR12EZaTsBLuVXqDvdCos9pXWknJqkVR2COGydtHS1YhKSR/sTyf0fRsVCMA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3B6F715D1E; Tue, 6 Apr 2021 20:23:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:09.accept_filter Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210406202303.3B6F715D1E@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:23:03 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740583; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=aKPBCAdH58TZbfUz8JJC1SuwaaFIQwWNCbZtbNJCSJ0=; b=rDUR7baCoKO9q3hZClRsGD89fuGT7Fxw5w06iHxlmJjF03zDiP5JyiciYmAtzSmLBSOONI SLZsG4l5N03Q5rQXToCUxzSGKCM05DI6qwuXRbozgzHxiBFVj9UmuHYWF8dZLJ2GVIuciM D8+bl5dH5kk6n7l3GLKWioCRjQcxpfzCGbsvKoi0Laq2PN3URT8koVIPuZ2EeenWBQOhO8 pL/JxRKATzPHNI6T7/22e9D88QmQbXr7RU/qo1ql/CyVjRmldE+50O672KFWP2xMEBuLfE J6UZS00VT3R6CnLlMPixK6wttEpT2J6tYUrdaSeaDzUK7YHFZA6XkYX8x51f/w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740583; a=rsa-sha256; cv=none; b=Jb9AhzRcjvxUNjN44v77AAv8WuLag6BXHIPyKx5JiDqEmqZq6r3oaYqNp3yxSCGd7Tb+Us 6YgMmVwFfw5cMCVTfS4sOHl+wE23Ce4+BQYNrMAc29AlYjpBSsaiCB5T1cuf4OMMCy8j+9 6PvayNUu+NJ+1ANyXEq02MljkcXcA96knuVX6q5FbzktVW4gAZtR2KqQ+e52BepmZmyBzP gEP+VH0c2D2h748bnVchigaHPPvJhmJVUqIhOEMAuYgGvQeKohxRx+InGi7qaFgHZRa//Z eX8W7ovoMi9lUW0yv4qLTTMp282ljDpyxnl8w+wjTbpBPDhKjLhsU61DS3FUgw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:23:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:09.accept_filter Security Advisory The FreeBSD Project Topic: double free in accept_filter(9) socket configuration interface Category: core Module: accept_filter Announced: 2021-04-06 Credits: Alexey Kulaev Affects: FreeBSD 12.2 and later. Corrected: 2021-03-28 00:24:15 UTC (stable/13, 13.0-STABLE) 2021-03-28 15:03:37 UTC (releng/13.0, 13.0-RC4) 2021-03-28 00:26:49 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:21 UTC (releng/12.2, 12.2-RELEASE-p6) CVE Name: CVE-2021-29627 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD features an accept_filter(9) mechanism which allows an application to request that the kernel pre-process incoming connections. For example, the accf_http(9) accept filter prevents accept(2) from returning until a full HTTP request has been buffered. No accept filters are enabled by default. A system administrator must either compile the FreeBSD kernel with a particular accept filter option (such as ACCEPT_FILTER_HTTP) or load the filter using kldload(8) in order to utilize accept filters. II. Problem Description An unprivileged process can configure an accept filter on a listening socket. This is done using the setsockopt(2) system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information. If the filter implements the accf_create callback, the socket option handler attempts to preserve the process-supplied argument string. A bug in the socket option handler caused this string to be freed prematurely, leaving a dangling pointer. Additional operations on the socket can turn this into a double free or a use-after-free. III. Impact The bug may be exploited to trigger local privilege escalation or kernel memory disclosure. IV. Workaround Systems not using accept filters, or using only the accept filters included with the FreeBSD base system (accf_data(9), accf_dns(9), and accf_http(9)) are unaffected. Note that no accept filters are loaded in the kernel by default. Systems using a third-party accept filter module are affected if the module defines an accf_create callback. In this case, the only workaround is to ensure that the module is not loaded into the kernel. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch # fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch.asc # gpg --verify accept_filter.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ c7d10e7ec872 stable/13-n245050 releng/13.0/ af6611e5adc6 releng/13.0-n244711 stable/12/ r369525 releng/12.2/ r369553 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing HHHHHH with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n 5cIfkA//bD0wm/rhdTUkyCeKhDCocFC/elfC+g7FsiG/eNJFh0mAiuTrC9Ja9+TN QU4xjZPx0kN6PxAgEzCqH2NgSL+MwW60ApxlH/kVhcFU/tOrUxmuFg8u9bk6/gU3 xRcpHzT5M4iFzrdyimbc9UvKHZet1Hh7CkIQwQZWvdrJYL3p+lODe3DpS9OUXcaJ S6eHGzMlTKQsV5m3vGEefRP1ByDNOT4w3q+w6s0K381ck8Y+k1SLQLLDZJuNR752 ixZdUg/oE82PIosoH8SXP8bHklRcHFsa6DmTLYGxxpKh9l++CyiytiQThUIlClfY 2KOKh1Y4ND5FU001g98OdikgfRJhf9mQIk4ytNyBjey3c/aBFtcJHzydrV5uPg4u SPvk59SEiRVZswQkR+kpXD8Maa7jkRTe6qbBhQ5+CiXEO/FWF108OVULn0saDycp NtGNa6Htichm+RWPeHnbCo5OwSW0wDHKUB2yP/EcCOkJtBPOBpL8r3iJSnk5ZsrH mTQeQzSrbzeD/pMOiEor6AIKjJoII2rWIT6v2RaofY5vb30kQl56/m7nrN1bm6n1 aatAsvJvFIaE6LVKkCpIkKaHEEmgOpf5/p4n2xia8i6xUc1BN14nq0xEaqGskesS bAe1TJZJnc6hHvdJVhuLxdT1CSStG56BrkJd2RtCAenwatJaRzQ= =UfpF -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Apr 6 20:23:11 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1E2355B7F5A for ; Tue, 6 Apr 2021 20:23:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FFJqy2PKcz4mFS; Tue, 6 Apr 2021 20:23:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740590; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3ugHiNMDVx1sSnq6LrSNw2DTv2SsgliYgpqOioa/rI0=; b=St77YVoj1K65f4/PjQo2uzyVyPM7Y/WeqfMEeZ7ALDdtxT6s0JMcp76yOhSFnaplc9GCw6 rqxsF9dvja93pZTcUKsyl9+l+6dP5tCI0LKQScm41u0gWzDiEl7dBSP7bJasdwnavbREaO YuMqkeRjYmC+I7n1dJyVA30f36ppcaOo70O0T12qlMmlpYaVbZCf3IIXiSsia6qP+/KUJr 1O8ZKNU9JiOJVy6PzKmBzjEju/oSw0bvWcZJbv2+WXmU2b3NzNkqADWv7tcfIP12khZfYt 1kr8o94nIbpgn4hvLdq9xAGRVuAzMipToOlh4toFukobOzx0AQO1hhEPsSpYFA== Received: by freefall.freebsd.org (Postfix, from userid 945) id EECD015EA7; Tue, 6 Apr 2021 20:23:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:10.jail_mount Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210406202309.EECD015EA7@freefall.freebsd.org> Date: Tue, 6 Apr 2021 20:23:09 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1617740590; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3ugHiNMDVx1sSnq6LrSNw2DTv2SsgliYgpqOioa/rI0=; b=oJoakRfgqb388BXiLkmrbg6F8O2o6EzY+H/7ZHbxmhSJwMnn+q71oFgIRCRbkNdtaNLbW6 YCF+uufZg9/4Tn/t6+OuL4vypr6X/Srs3aYH2Rkop1khThcNbgpuRHmAYDFyfdN3nAFM2m iRqsckh70Pg43c3dkwNSksR2ZdUREfsqCHUmiI/S6isdvccIddM5b7cscGt146S7W4Yo2k NnAgQ5Qdxs+bEAAZgRKm9eyLvG7EMI6pdXDyEGvlN3X/3hYCmnQFBnikviFS+5k6BoGEgW sfF6ex19IvGNCU1tAYSZohsBbg76gTtWVGlWxwu7fe9jVybgS4NmbOo6oXoDJQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1617740590; a=rsa-sha256; cv=none; b=ew4u9a3+xe8pcv/gbakSZLodlpJZZiBWrd4s+E/JKfU6fHcottzv5F1zN6B5x4GL9wi97E bLb7nuCbMEHFp7Zo63hRgftU85K4IlOPzaPGefIZQZtKmnxQA5Pxah9/4Yuy3tsrxxwtYD GejH06v+cLk3w7S3mPcQv/VGQR1nGWBcRWMYG3CtgXwyOp15feCMQR0vXxB32hSkRSAxzm /rSrO9IM+Lh1MIi+MiGuZivPhbjD6NkkZJfhbzR1BMyfeLZUo1toVXzJ3u6G7nQWfGjlaZ G8Dljqz3IWurJdZsQQp4MmuPbK2GgK7DK9+4wsgvD5EeXzJZdBxWfi9ox6U6tg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 20:23:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:10.jail_mount Security Advisory The FreeBSD Project Topic: jail escape possible by mounting over jail root Category: core Module: jail Announced: 2021-04-06 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2021-04-06 18:50:48 UTC (stable/13, 13.0-STABLE) 2021-04-06 19:18:59 UTC (releng/13.0, 13.0-RC5-p1) 2021-04-06 19:20:50 UTC (stable/12, 12.2-STABLE) 2021-04-06 19:21:33 UTC (releng/12.2, 12.2-RELEASE-p6) 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE) 2021-04-06 19:22:59 UTC (releng/11.4, 11.4-RELEASE-p9) CVE Name: CVE-2020-25584 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. II. Problem Description Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail. III. Impact A process with superuser privileges running inside a jail configured with the allow.mount permission (not enabled by default) could change the root directory outside of the jail, and thus gain full read and write access to all files and directories in the system. IV. Workaround As a workaround, disable allow.mount permission for all jails with untrusted root users; see jail(1) and jail.conf(5) manual pages for details. Note that this permission is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch.asc # gpg --verify jail_mount.13.patch.asc [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch.asc # gpg --verify jail_mount.12.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch.asc # gpg --verify jail_mount.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 3ae17faa3704 stable/13-n245118 releng/13.0/ 4710439ec594 releng/13.0-n244729 stable/12/ r369552 releng/12.2/ r369557 stable/11/ r369560 releng/11.4/ r369562 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing HHHHHH with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveQACgkQ05eS9J6n 5cIujRAAoTOIB1bMhDN3w382izu+g4L4HATqhOyKlf3Ezwlnmckt4s+ERar7EWND 4MayXSogCYwYwb6gsfBsqEdAJwhID1zkBDmC9LaYKehOLMMdPOCbpemJ3xT0540m S4MJ+vPBT2NZ8NsUGNNpIF/mZTgwDai4WSBCr/0OIyNDd+nzStOv0d8h3aNGNweW p/pvETnf/FtR9kACZ2HuiHtOx2IvQv8+n4gjefl440fz8czb3nftdGHRXLc0Kkcy T/l3Y0SgBvXmlhtmhGZmF787Bw/5No+fbKZ4AuTMms42OWz8y02ZjFCvwXEu7/tC f9eeFUzpR+rjNr0MMFEm1GBPNgbdF4v/IhnUA4gWrhjp1sh+4SjHoFhS1tfdY6gf W76eyT0B8oDOLK4Jo76iTjvN1sZ0wctOaq7yk+7rGbhSUFUohQmtsMbvGOfHIVxl DlJ9faccWJLOjbeUAVhVMbowT3/QKqnbuRpkq6U7YIcs9P4cg8RUrokCOiGd5pBz PD5zpNcRCe69c+d39XDGDiBjPm4mQK1VEOr90gcAlE5yioxUW6qlHkFrp/Mje6dX 25Sb1q1zwjn3rM1moIeRXmx+ioLAT9ZWpYs5IvKsuRw4VmppIjA6TWm8ECbjKQKG yPuUgUyxoIoEJgQNmJaM2Rk/fKijyVjEG22jlDNwCxASE4vJ7Xw= =g2On -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Apr 8 03:37:27 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DD3B35CCECE for ; Thu, 8 Apr 2021 03:37:27 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FG6Qb5d7hz3lZw for ; Thu, 8 Apr 2021 03:37:27 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pj1-x1036.google.com with SMTP id f2-20020a17090a4a82b02900c67bf8dc69so2388988pjh.1 for ; Wed, 07 Apr 2021 20:37:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/o8LcbvUIT5CGATB36svG35oCkzheXthOcGwCl3FzaU=; b=F2kJtKbMh9FLXjz181Yejegu1itDG3hOcDJO7ERgTL+ma+yGMAyurbEIH+kYiRwsWT sWE7yH8dvEzXKHGiXQA+bgopP/A9kpFYy/I+TAv8lEjStfDZ4G+CpT95lF5aeqO4CXKc Jn6PfDHf0U5Oi07OEZ6yUVDCeFdxo8yrBMwq1ZmMDpUbpoY6hPO6QF//lF0L5jPy3Lj1 M++/XwMRNeAkru4XvwMnriq1cDqnQ36bYeTVKFb2nc8ugMRkx3ddUafrsW7gl8s5TooW Zfa1juOFhsfzgdHViURN7WDlAr217t8el42N+3HB+6yts+xqiAhaJ7VlsG/DjbqDgpqt KLCg== X-Gm-Message-State: AOAM5321Vt+g47T8K2Qw5SuyCk0IlBkodWHWo9cDFTJeXF3nb//C+YvW 1IZXFw1wVApw6dCUtHj+mkiCXCAAX/0i+eE= X-Google-Smtp-Source: ABdhPJxGjIEBhJGEcUaJDxfvc1c2xcIzvrjG46quVVVrdbqgq0l85b+vvKAKVLeqclebVGwcqW8q7A== X-Received: by 2002:a17:90a:5889:: with SMTP id j9mr6572287pji.69.1617853046125; Wed, 07 Apr 2021 20:37:26 -0700 (PDT) Received: from 2603-8001-5e40-d300-88a3-73d5-13d9-083f.res6.spectrum.com (2603-8001-5e40-d300-88a3-73d5-13d9-083f.res6.spectrum.com. [2603:8001:5e40:d300:88a3:73d5:13d9:83f]) by smtp.gmail.com with ESMTPSA id pg11sm5596520pjb.53.2021.04.07.20.37.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Apr 2021 20:37:25 -0700 (PDT) From: Gordon Tetlow Message-Id: Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Date: Wed, 7 Apr 2021 20:37:23 -0700 In-Reply-To: Cc: Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org To: Stefan Blachmann References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FG6Qb5d7hz3lZw X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 03:37:27 -0000 > On Apr 7, 2021, at 7:50 PM, Stefan Blachmann = wrote: >=20 > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > Spying out the machine and its configuration, sending that data to an > external entity =E2=80=93 perfectly OK. Not a problem at all. >=20 > This has been proved by the handling of this last BSDstats security > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being = abused to run > spyware without the users=E2=80=99 pre-knowledge and without his = content. >=20 > This abuse is apparently being considered acceptable by both FreeBSD > and HardenedBSD security officers. > Instead of taking action, you "security officers" tell the FreeBSD > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > Just because they trustingly installed software from the package repo > hosted by FreeBSD, without religiously-carefully auditing every and > each packages' pre- and postinstallation script before actual install, > using the =E2=80=9Cpkg -I=E2=80=9D option. I do not consider it acceptable that this behavior is occurring. I'll = quote to you what I said in my private email to you: Running scripts at pre/post-install is a foundational design of = packages. These scripts can do anything a shell script can do. If you = are concerned packages running scripts, I recommend changing the pkg = setting: RUN_SCRIPTS: boolean Run pre-/post-installation action scripts. Default: = YES. Change this in your /usr/local/etc/pkg.conf and you will not have = pre/post install scripts running for your packages. Another option, instead of changing the global default is to use the pkg = install -I switch, which will not run scripts for that installation. As for the behavior of this specific package, I agree it is poor that it = runs without user consent. Reading the pkg-install script, it appears it = should ask consent, perhaps it is broken. I recommend taking it up with = the port/package maintainer, scrappy@hub.org , = whom I have added to this email. I agree this should be fixed and is undesirable. Even the pkg maintainer = who is the person running the bsdstats website is in agreement here. The = difference is: I don't assume the maintainer has ill-will and it is the = result of an oversight that will be fixed. There is a process to be = followed and I am not comfortable wielding the security-officer hammer = unless I see visible evidence the process is broken and requires me to = intercede. We aren't there. > Can it be ethically acceptable to put users at risk, for example by > intentionally (?) not setting any limits to what extent installer > scripts are allowed to collect sensitive user and system data and > disclose them to interested third parties? This is an interesting point. Unfortunately, the technology we have = gives unfettered access to the system. I'm having a hard time thinking = how we could achieve the goal of installing software (which in our model = requires root privileges) while also limiting what it is allowed to do = on said system. I'm not aware of any other package system (rpm, deb, = etc) that has technical limits on pre/post installation scripts. If you = are aware of any examples, I'd love to see it to see if there is = something we can incorporate. Patches, as always, are welcome to improve = the system. > This should imho be discussed in public, leading to the formulation of > rules which might help enabling users to trust FreeBSD. >=20 > [ Just to note: the porter of the package in question wrote me that it > never was the intention to run the scripts without user content. There > must have happened something/some action by someone, which led to this > behaviour. What actually happened, this can be analyzed. > For me, what actually matters is not this particular incident, but the > finding that spyware behavior of pre/postinstaller scripts is > apparently generally deemed acceptable and not actionable, according > to FreeBSD rules. So the problem are these rules, and not this last > incident. ] I disagree with your premise. For the record, I did take action, which = was to escalate the problem to the port/pkg maintainer. It is their = software and their responsibility. Please do not take my unwillingness = to violate the maintainer's ownership of their port/pkg as unwillingness = to deal with the issue. I'm would like the process to have a chance to = work. Lastly, your combative tone in reporting this issue is far from anything = I would consider professional. I would ask that you give some = consideration to your words in the hopes that you will understand that = flaming me on the mailing list is unlikely to make me want to advocate = for you. Thanks, Gordon= From owner-freebsd-security@freebsd.org Thu Apr 8 04:42:46 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBA135CF01D for ; Thu, 8 Apr 2021 04:42:46 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FG7sx0vkqz3rCT; Thu, 8 Apr 2021 04:42:43 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 1384epb0039971 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 8 Apr 2021 14:40:52 +1000 (AEST) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1617856852; x=1618461653; bh=V0ZA1RGmQlcvOSrmEl8t0ILTo8JMl0o62QovyYkaH5s=; h=Subject:To:From:Message-ID:Date; b=H18+/O3Pl5gdG8ua53ODHSS/XZRO+zIp1MnfoPtIv+dVbhwFbH4bikSGr43mkROkb PhnTqranfoqa26tvGgPSjqG6RPA+ThjAQlGd/KP5koGJbhnNel0RJNxDU5wxnUCOTN fyWMnz1LatI0kIwP3meWu5sE6AK//QjmrRdm8erbb+MFtFalaxjlc X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Stefan Blachmann , secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org References: From: Dewayne Geraghty Message-ID: <26674e2a-a25e-f398-cc1e-609485f0145c@heuristicsystems.com.au> Date: Thu, 8 Apr 2021 14:39:29 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FG7sx0vkqz3rCT X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=fail (headers rsa verify failed) header.d=heuristicsystems.com.au header.s=hsa header.b=H18+/O3P; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_REJECT(1.00)[heuristicsystems.com.au:s=hsa]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; DKIM_TRACE(0.00)[heuristicsystems.com.au:-]; DMARC_NA(0.00)[heuristicsystems.com.au]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 04:42:47 -0000 The prevailing paradigm is that a package install requires an affirming action in rc.conf. Neither of "man pkg-add" nor "pkg-install" explicitly states that an installed package will do other than perform installation and updating steps. At best, it is implied that installation scripts are run by the existence of -I which prevents installation scripts from running in both (pkg add, pkg install), but this is to *perform* an installation. It must be noted that the porter's handbook states unambiguously that "Important: This script [Ed: during pkg add, pkg install] is here to help you set up the package so that it is as ready to use as possible. It must not be abused to start services, stop services, or run any other commands that will modify the currently running system." Ref: https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install.html I'd suggest that the man pages be updated and to explicitly align with the porter's handbook. As installation does not imply consent to execute. Stefan, I've been involved in quite a few privacy breaches (from a server perspectives) so I appreciate the elevated level of concern. I'd suggest that you review https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434 as the GDPR relates to natural persons and data pertaining to them. The transmission of data pertaining to applications and their version, may be a security risk, but it isn't a breach against a natural person's privacy. However as a data controller you may have an obligation IF you have installed bsdstats onto individual workstations/PCs. As I suspect that this falls under the personal data related to an individual, hence subject to data protection rules. To avoid unnecessary disclosure as I see no reason to share information to hacking entities, I'm sharing my /etc/periodic.conf monthly_statistics_enable="YES" monthly_statistics_report_devices="YES" monthly_statistics_report_ports="NO" Kind regards, Dewayne From owner-freebsd-security@freebsd.org Thu Apr 8 02:50:22 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 45F715CB74D for ; Thu, 8 Apr 2021 02:50:22 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FG5ND5MWjz3h3V; Thu, 8 Apr 2021 02:50:20 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: by mail-lf1-x130.google.com with SMTP id g8so1355033lfv.12; Wed, 07 Apr 2021 19:50:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=HiTnMRxGrWYFlT1s4s71c7Cc7CjHSNvWJYluV1FlW4g=; b=tAZ5cOWO8eATsDXfKFR0F3GLAzSh4GFxt46mTogB2ycJDlJm7qQFuhQ3Xs5NVbC0YS KbLMHsHWneYPqaKd9elV5b4ixd+ET8fZaQqw1f+wcmCjRqqt54ne4pRUJ5Ata02K7rha V/98XH/vnDmKPaEzAVD6b+Woqlb5UXlhVBrJnC0nsYy4jIOZxps0QFmuBC0fg86Xn3qp qKhZE7XhvVd8F8pg2c5COeS2mQY6UGxUFTbcMM0igGV1IoNDnZJqKqLtFaM8I6e2CBCb 9BfVReaK5bNFF+Q1PLJe5uNB3RScuodhKHQedthDpDcn0rkC4Y0+prRhQ5RKRgiqOhC3 JdkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=HiTnMRxGrWYFlT1s4s71c7Cc7CjHSNvWJYluV1FlW4g=; b=CASj9RcCu/W2rKTbyIes6N3I6vlZoKuCNe6kkwRE5oIp+C3n2WrEEuZs9z2XST2wyN ppPCenVbgaD+1joA4vmhhlxEK8pQYabwlqj4oGROzqq7lppotgCi5JJM+UzinsJRJ55g uaAG8hcGBA/ym6kKX131m3qPdgbuHjtWKp8X/Hv5XS/qHVfxRfonx/4E2K0XySQ5jGcA V79LLiWq26+uBIx5qevK1LJgEPcQb7ITn/AJUMmPeIsGkkILyKs58Uja1EgqpZ2BI2Ku VQNNqVuqZ6txtQRRfTkJvdJryPVcXeN211xmS3UOeoFicMbirowYnNtOwjXrFl8+ZJ/y gZkQ== X-Gm-Message-State: AOAM531SEsDpN8+MLMcBJ/P0MU6tc03XmPlqU7h8BYXOI3OnyG2kXjgy O0HzDENWmzDN1xUg/95wyMPIQzAwaV47+xtP/G0= X-Google-Smtp-Source: ABdhPJz2thiOTFltm9woaf6VDpoCpXfzRir8znKl3Sit0AnzIFqM2ItaJrD4kl8y2hl6gsVqpAS/MpNWNdFXpyGAMjQ= X-Received: by 2002:ac2:424f:: with SMTP id m15mr1063975lfl.66.1617850218443; Wed, 07 Apr 2021 19:50:18 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:8199:0:0:0:0:0 with HTTP; Wed, 7 Apr 2021 19:50:17 -0700 (PDT) In-Reply-To: <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> From: Stefan Blachmann Date: Thu, 8 Apr 2021 04:50:17 +0200 Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Gordon Tetlow Cc: Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FG5ND5MWjz3h3V X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=tAZ5cOWO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of sblachmann@gmail.com designates 2a00:1450:4864:20::130 as permitted sender) smtp.mailfrom=sblachmann@gmail.com X-Spamd-Result: default: False [-3.99 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::130:from]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::130:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCPT_COUNT_SEVEN(0.00)[7]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::130:from]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.992]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Mailman-Approved-At: Thu, 08 Apr 2021 13:10:43 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 02:50:22 -0000 The answers I got from both "Security Officers" surprised me so much that I had to let that settle a bit to understand the implications. Looking at the FreeBSD Porters' Handbook [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-instal= l.html], it describes the purpose of the package pre- and postinstallation scripts as to "set up the package so that it is as ready to use as possible". It explicitly names only a few actions that are forbidden for them to do: "...must not be abused to start services, stop services, or run any other commands that will modify the currently running system." Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. Spying out the machine and its configuration, sending that data to an external entity =E2=80=93 perfectly OK. Not a problem at all. This has been proved by the handling of this last BSDstats security incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abused t= o run spyware without the users=E2=80=99 pre-knowledge and without his content. This abuse is apparently being considered acceptable by both FreeBSD and HardenedBSD security officers. Instead of taking action, you "security officers" tell the FreeBSD users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. Just because they trustingly installed software from the package repo hosted by FreeBSD, without religiously-carefully auditing every and each packages' pre- and postinstallation script before actual install, using the =E2=80=9Cpkg -I=E2=80=9D option. Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80=9D o= f =E2=80=9CHardened BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of competence= to recognize obvious security problems. Like two fish caught with a single hook! Are you "Security Officers" aware that you basically are tearing down any trust that conventional, non-big-corporate users without large own IT staff can have in FreeBSD? So, I believe that not only the reasons that made the Wireguard debacle possible need to be discussed. This discussion should not occur in hermetic private circles, but in public places like /r/freebsd, IT news outlets and other competent and independent media. Not only Wireguard needs to be discussed, but also things like the responsibility for software that is not part of the base system, but nevertheless being distributed by the FreeBSD organization. Can it be ethically acceptable to put users at risk, for example by intentionally (?) not setting any limits to what extent installer scripts are allowed to collect sensitive user and system data and disclose them to interested third parties? This should imho be discussed in public, leading to the formulation of rules which might help enabling users to trust FreeBSD. [ Just to note: the porter of the package in question wrote me that it never was the intention to run the scripts without user content. There must have happened something/some action by someone, which led to this behaviour. What actually happened, this can be analyzed. For me, what actually matters is not this particular incident, but the finding that spyware behavior of pre/postinstaller scripts is apparently generally deemed acceptable and not actionable, according to FreeBSD rules. So the problem are these rules, and not this last incident. ] On 4/6/21, Gordon Tetlow wrote: > On Apr 6, 2021, at 7:42 AM, Shawn Webb wrote= : >> >> On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >>> On 06/04/2021 16:27, Shawn Webb wrote: >>> >>>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>>> report with the BSDStats project, not FreeBSD. >>>> 2. You install a package that is made to submit statistical data. >>>> 3. You're upset that it submits statistical data? >>> >>> The problem here is that it collects and sends data right at the instal= l >>> time. It is really unexpected to run installed package without user >>> consent. >>> If you install Apache, MySQL or any other package the command / daemon = is >>> no >>> run by "pkg install" command. >>> This must be avoided. >> >> It's probably easier to submit a patch than it is to write a >> lolwut-type email. All you gotta do is rm the post-install script. >> Also `pkg install` has the -I option. But whatever, let the lolwut >> mentality prevail! > > I had a conversation on the side with the requestor. In short, there is > already a patch to address this issue in > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 > . Not sure wh= y it > hasn't been committed yet, but hopefully it gets picked up shortly. > > Gordon > From owner-freebsd-security@freebsd.org Thu Apr 8 13:35:42 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C3AFA5DCA27 for ; Thu, 8 Apr 2021 13:35:42 +0000 (UTC) (envelope-from chris@behanna.org) Received: from www562.pair.com (www562.pair.com [216.92.107.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGMht49f8z3Fr6; Thu, 8 Apr 2021 13:35:42 +0000 (UTC) (envelope-from chris@behanna.org) Received: from www562.pair.com (localhost [127.0.0.1]) by www562.pair.com (Postfix) with ESMTP id 8A61565A67D; Thu, 8 Apr 2021 09:35:36 -0400 (EDT) Received: from aerie.behanna.org (hs-164-67.tul.tularosa.net [66.18.164.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by www562.pair.com (Postfix) with ESMTPSA id 91592646C1A; Thu, 8 Apr 2021 09:35:35 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\)) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg From: Chris BeHanna In-Reply-To: Date: Thu, 8 Apr 2021 07:35:33 -0600 Cc: Gordon Tetlow , Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> To: Stefan Blachmann X-Mailer: Apple Mail (2.3445.104.17) X-Rspamd-Queue-Id: 4FGMht49f8z3Fr6 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 13:35:42 -0000 On Apr 7, 2021, at 8:50 PM, Stefan Blachmann = wrote: >=20 > The answers I got from both "Security Officers" surprised me so much > that I had to let that settle a bit to understand the implications. >=20 > Looking at the FreeBSD Porters' Handbook > = [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-insta= ll.html], > it describes the purpose of the package pre- and postinstallation > scripts as to "set up the package so that it is as ready to use as > possible". >=20 > It explicitly names only a few actions that are forbidden for them to > do: "...must not be abused to start services, stop services, or run > any other commands that will modify the currently running system." >=20 > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > Spying out the machine and its configuration, sending that data to an > external entity =E2=80=93 perfectly OK. Not a problem at all. >=20 > This has been proved by the handling of this last BSDstats security > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being = abused to run > spyware without the users=E2=80=99 pre-knowledge and without his = content. >=20 > This abuse is apparently being considered acceptable by both FreeBSD > and HardenedBSD security officers. > Instead of taking action, you "security officers" tell the FreeBSD > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. This is an incredibly dishonest summary of their responses to = you. Gordon in particular wrote that it is NOT acceptable; however, = rather than smash down the port's maintainer with the Security Officer = sledgehammer, he preferred to give the maintainer some time to address = the problem. --=20 Chris BeHanna chris@behanna.org From owner-freebsd-security@freebsd.org Thu Apr 8 13:45:30 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C1695DCBD3 for ; Thu, 8 Apr 2021 13:45:30 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGMw95q9Rz3Gfb; Thu, 8 Apr 2021 13:45:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id AAC13389A; Thu, 8 Apr 2021 13:45:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f176.google.com with SMTP id g15so2180796qkl.4; Thu, 08 Apr 2021 06:45:29 -0700 (PDT) X-Gm-Message-State: AOAM5337aykU/N1eE9CIDvHBpjb28RS61760EWqunwYOnRuDP+l3saVS Lknz7PoPjqFXiW7MfYePdulh/7ai7EVD4JtGtIU= X-Google-Smtp-Source: ABdhPJxZCtW+wu/HF7eHYme3PPg6B+gJR/F0U+dlkpjrG5hEw3v4VLteWQxDtSIIMFiIdxo6zx+tSEsrAYhC/AV0M0g= X-Received: by 2002:a37:6758:: with SMTP id b85mr935192qkc.430.1617889529217; Thu, 08 Apr 2021 06:45:29 -0700 (PDT) MIME-Version: 1.0 References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> In-Reply-To: <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> From: Kyle Evans Date: Thu, 8 Apr 2021 08:45:16 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Chris BeHanna Cc: Stefan Blachmann , Gordon Tetlow , Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, Colin Percival Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 13:45:30 -0000 On Thu, Apr 8, 2021 at 8:35 AM Chris BeHanna wrote: > > On Apr 7, 2021, at 8:50 PM, Stefan Blachmann wrote= : > > > > The answers I got from both "Security Officers" surprised me so much > > that I had to let that settle a bit to understand the implications. > > > > Looking at the FreeBSD Porters' Handbook > > [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-in= stall.html], > > it describes the purpose of the package pre- and postinstallation > > scripts as to "set up the package so that it is as ready to use as > > possible". > > > > It explicitly names only a few actions that are forbidden for them to > > do: "...must not be abused to start services, stop services, or run > > any other commands that will modify the currently running system." > > > > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > > Spying out the machine and its configuration, sending that data to an > > external entity =E2=80=93 perfectly OK. Not a problem at all. > > > > This has been proved by the handling of this last BSDstats security > > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abus= ed to run > > spyware without the users=E2=80=99 pre-knowledge and without his conten= t. > > > > This abuse is apparently being considered acceptable by both FreeBSD > > and HardenedBSD security officers. > > Instead of taking action, you "security officers" tell the FreeBSD > > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > > This is an incredibly dishonest summary of their responses to you= . Gordon in particular wrote that it is NOT acceptable; however, rather th= an smash down the port's maintainer with the Security Officer sledgehammer,= he preferred to give the maintainer some time to address the problem. > +1. Both of these reactions are way out of proportion, and Gordon's response was 100% the right thing to do. By his own admission he responded and looped in the port maintainer to the additional context, which is how it should be handled. If so@ smacked everyone that intentionally or unintentionally (as the case is here, clearly) did something that secteam's attention was raised to, then we would end up with a security officer that nobody on the project is willing to work with and their job becomes that much more difficult. Thanks, Kyle Evans From owner-freebsd-security@freebsd.org Thu Apr 8 16:24:04 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DFB6F5B826A for ; Thu, 8 Apr 2021 16:24:04 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGRR854m2z3jSs for ; Thu, 8 Apr 2021 16:24:04 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qv1-xf2b.google.com with SMTP id bs7so683712qvb.12 for ; Thu, 08 Apr 2021 09:24:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=6gJ23bbE4W49nyNeNU7CxNqkOfmYfijiWOaAMnsKkpg=; b=Psj5lpHbr32xnKPFDHOrK5IPLicpq9CCA5BnU9/Hrr/C1qVvO05eklr1Tw/pvJZQ4O pGmxxVpuKhnsvlrxELq4qUZTfQxDtkfSEtQRXD8av5TaRHryzDID50jTtEoWyoCEConk O9KUplOMF2OKNnOYyIHfATcf0oHRoxQlDD2L7l1M0ffQfeyra3ohFxIxC3RukFG0Ca/H +8WiCyu4WyxgsJDiFtBzKmXW9xecAZ6pcOOQYNYw7NdQz7QG6Bp2+234/VEM3uCjFoGl 8j7XzcOhiqjUjSPM+NAgoMc/vkSiuUjYCNhZxJmx2atoJNlXE33zAD7A40DrlYX22dzv 78TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=6gJ23bbE4W49nyNeNU7CxNqkOfmYfijiWOaAMnsKkpg=; b=HApIUJnup9PE7Yh/E85QQq8Zn9t9mAJewmi9lePUYVdlV6g5oKwQHEwv53FnYtyxFK gG105i5ayvIl+jZxw+vMNHMAZrJMMR18KtHCGqBtrYhW4Zjh7DrK3tmH5dfBpjpZSQZk N/LsL/5kM0xgryBWy7gbQ6vSLn292qxv5ddB0ImZ6gy1vz6Mi1CR5sv9xWCwNUpblYLm SlzFw/fUU9N3+h4OQKbHe7lXEk7DZX30bMwSI/Egufk1mpZIvom7RMHkCfuFar/J+jwY hKvX4Y1fDlU3jFNR0AewkqlVyWNi7dAmAx3m7bcWOa7rODBxU9rAR194EjKRW/hdavxW 5rxw== X-Gm-Message-State: AOAM5309kOFmqxmfFbphXyDfnEqxXhHr8OEIPO+LNmYh5b9u1H/KXnDY +Sq/U4aJpirb6uem3owW/ZPhIg== X-Google-Smtp-Source: ABdhPJyBviDeKcWWQV8F5ZStvwkftS+KmVYpdydAMUEyUsS8Rq7yKfOQvWp4kSI3t/8pN8+vx6jjPQ== X-Received: by 2002:a0c:fcc6:: with SMTP id i6mr9467598qvq.18.1617899043502; Thu, 08 Apr 2021 09:24:03 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id c5sm21396302qkg.105.2021.04.08.09.24.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Apr 2021 09:24:02 -0700 (PDT) Date: Thu, 8 Apr 2021 12:24:02 -0400 From: Shawn Webb To: Stefan Blachmann Cc: Gordon Tetlow , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210408162402.en6dxevum7se2ndj@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7hoa3axnlf5iwapj" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4FGRR854m2z3jSs X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 16:24:05 -0000 --7hoa3axnlf5iwapj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote: > The answers I got from both "Security Officers" surprised me so much > that I had to let that settle a bit to understand the implications. >=20 >=20 > Looking at the FreeBSD Porters' Handbook > [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-inst= all.html], > it describes the purpose of the package pre- and postinstallation > scripts as to "set up the package so that it is as ready to use as > possible". >=20 > It explicitly names only a few actions that are forbidden for them to > do: "...must not be abused to start services, stop services, or run > any other commands that will modify the currently running system." >=20 > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > Spying out the machine and its configuration, sending that data to an > external entity =E2=80=93 perfectly OK. Not a problem at all. >=20 > This has been proved by the handling of this last BSDstats security > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abused= to run > spyware without the users=E2=80=99 pre-knowledge and without his content. >=20 > This abuse is apparently being considered acceptable by both FreeBSD > and HardenedBSD security officers. > Instead of taking action, you "security officers" tell the FreeBSD > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > Just because they trustingly installed software from the package repo > hosted by FreeBSD, without religiously-carefully auditing every and > each packages' pre- and postinstallation script before actual install, > using the =E2=80=9Cpkg -I=E2=80=9D option. >=20 > Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80=9D= of =E2=80=9CHardened > BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of competen= ce to > recognize obvious security problems. > Like two fish caught with a single hook! 1. Ad hominem much? I understand the underlying problem very well. 2. Your hostility is incredibly annoying. 3. You attribute malice where there is none. 4. This is volunteer work, where volunteers have everyones well-being in mind. 5. Threatening to go to journalists accomplishes... what? What makes you think journalists are NOT paying attention to this list? What makes you think journalists care about you? 6. I really, really, really, really, really hate the "Karen" meme. But it fits incredibly well here. 7. Where can I review your patches that fix the problem? 8. Entitlement mentality much? Sure, the bsdstats package shouldn't submit just on "pkg install." Instead of fixing the problem, you went the hostile route. I'm sure you won't learn anything from this, but I hope you do. To me, it reinforces how random people feel entitled to force their will on others. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --7hoa3axnlf5iwapj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBvLh8ACgkQ/y5nonf4 4fotUQ//TSRdaATwqPdte2RFqKFr7qwGXvRGu0mFXk1fnTFeoY+yfl6oe1QkUwPM jrcxJml+i8cQurjbH/9hOL9EaoCIJmuWafmbQpgQ6piZxp9ocbCLu4zXQqN2wRCa DotUTYt+aB4RzXQMhwLe1BKyY80OTlf0pmGDLYKIXODDXcm3Gt4y1nzsrw8ujClD I5aAa2oCKem485nFhQWjcv8TnrT43ql8FrWTO49pkR+HEM/riNozfIyVThH0wZXq I88f3bSZY92Fuxm/TJsgsVIHB3BXREpHHORIwG/RaGch3/ZSFCKETpQR1JrcTb6a rxmwziaFINAOFMbTdrkYQDIB6+j/E0WHUifTX+a+B1lBDBiangn6nTN7qM5NWeYq oSCoMWqTc6EfX7bw5E7+fGMQWMJQmhE+u9LqboZhhitUSODsqzYgCsebI1rxmcJ5 CLScmv2OyPJGtK/tU5yRPCWo+GR8NjdX1Gg6sfNF42HploGehl8sq45Eh6dKx0cp e972KInTQ0pn08bGFten5MDpH2ougz83H37R26etB0Xb+QuNzWYYsX5OTXPQIQsE L0QpQW5nIS4gqBWHnCM2LTfHzHo25sX9D7nZjvbum+nScfmjxOHNkqi8m+r3W7gq wno+zlssco1pOYIwxwJPAZQYUYXnAqemsL4P7ThR34SjUaDYRuI= =JOhb -----END PGP SIGNATURE----- --7hoa3axnlf5iwapj-- From owner-freebsd-security@freebsd.org Thu Apr 8 21:30:30 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1FCB05C0703 for ; Thu, 8 Apr 2021 21:30:30 +0000 (UTC) (envelope-from SRS0=njqv=JF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGZDj6kZZz4fh4 for ; Thu, 8 Apr 2021 21:30:29 +0000 (UTC) (envelope-from SRS0=njqv=JF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 848002840C; Thu, 8 Apr 2021 23:30:21 +0200 (CEST) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id C5E9E28417; Thu, 8 Apr 2021 23:30:19 +0200 (CEST) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Shawn Webb , Stefan Blachmann Cc: Gordon Tetlow , freebsd-security@freebsd.org References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <46d829ee-ab17-153c-399e-ef05946b522e@quip.cz> Date: Thu, 8 Apr 2021 23:30:18 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20210408162402.en6dxevum7se2ndj@mutt-hbsd> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FGZDj6kZZz4fh4 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 21:30:30 -0000 On 08/04/2021 18:24, Shawn Webb wrote: [..] > 1. Ad hominem much? I understand the underlying problem very well. > 2. Your hostility is incredibly annoying. > 3. You attribute malice where there is none. > 4. This is volunteer work, where volunteers have everyones well-being > in mind. > 5. Threatening to go to journalists accomplishes... what? What makes > you think journalists are NOT paying attention to this list? What > makes you think journalists care about you? > 6. I really, really, really, really, really hate the "Karen" meme. But > it fits incredibly well here. > 7. Where can I review your patches that fix the problem? To be honest, the original post contained link to PR 251152 where Steve Wills posted patch 2020-12-07. What more patch is needed? The same patch again? The fix was not committed for a 5 months The sending of the data is not unintentional as the maintainer stated in his comment #13 from 2020-12-29 Even the code in periodic/monthly/300.statistics is written in "very unusual way". There are cases with 3 switches: if YES = run it if NO = tell user to enable it if anything else = run it Is this how all periodic scripts should behave? I don't think so. It should run if _enable="YES" and be silent in any other case. Again - the first patch was provided 5 months ago by Steve Wills and the problem was not fixed to this day because maintainer thinks there is nothing to fix. Your first jump in this thread with "lolwut" reaction was very far from expected. Trying to neglect the problem, trying to say that FreeBSD is not responsible for how packages behave in install time and nobody should be upset that something sends data on install time... Kind reagards Miroslav Lachman > 8. Entitlement mentality much? > > Sure, the bsdstats package shouldn't submit just on "pkg install." > Instead of fixing the problem, you went the hostile route. > > I'm sure you won't learn anything from this, but I hope you do. To me, > it reinforces how random people feel entitled to force their will on > others. > > Thanks, > From owner-freebsd-security@freebsd.org Fri Apr 9 00:31:11 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 161085C5BAE for ; Fri, 9 Apr 2021 00:31:11 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGfFB2QGcz3FHm for ; Fri, 9 Apr 2021 00:31:09 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 781C474615; Thu, 8 Apr 2021 17:31:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com; s=rs060402; t=1617928261; bh=ERnC5U9nxA+OwPpk5nXggB0Xy37jQ3jXpQimShQkB54=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=AVUAWDeJT37OJDP4MiDpifKxwU3J0gl/r7mKkOSHfGHfbvfTQigZpntQYXwWwixxL 9zlmb66yDoATE7mC5K+Ti2X07WMylKQkXphO8Ga9oc4sUQ2fD6QzniEcSmsfxCmXGU xdKSD1Z1uK1xHAV5fEC6rUry2IuJLk8vSelSsbpI= Date: Thu, 8 Apr 2021 17:31:01 -0700 (PDT) From: Roger Marquis To: Miroslav Lachman <000.fbsd@quip.cz> cc: Shawn Webb , Stefan Blachmann , Gordon Tetlow , freebsd-security@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg In-Reply-To: <46d829ee-ab17-153c-399e-ef05946b522e@quip.cz> Message-ID: References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> <46d829ee-ab17-153c-399e-ef05946b522e@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4FGfFB2QGcz3FHm X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=roble.com header.s=rs060402 header.b=AVUAWDeJ; dmarc=pass (policy=none) header.from=roble.com; spf=pass (mx1.freebsd.org: domain of marquis@roble.com designates 209.237.23.5 as permitted sender) smtp.mailfrom=marquis@roble.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.237.23.5:from]; R_DKIM_ALLOW(-0.20)[roble.com:s=rs060402]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.237.23.0/24]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_FIVE(0.00)[5]; SPAMHAUS_ZRD(0.00)[209.237.23.5:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[roble.com:+]; DMARC_POLICY_ALLOW(-0.50)[roble.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; MAILMAN_DEST(0.00)[freebsd-security]; FREEMAIL_CC(0.00)[hardenedbsd.org,gmail.com,tetlows.org,freebsd.org] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 00:31:11 -0000 Whatever the fix I hope we all agree that a policy is needed allowing or requiring the ports and security teams to reject ports and patches which exfiltrate (i.e, upload) _any_ local information without an explicit, detailed and robust opt-in. Roger Marquis > On 08/04/2021 18:24, Shawn Webb wrote: > > [..] > >> 1. Ad hominem much? I understand the underlying problem very well. >> 2. Your hostility is incredibly annoying. >> 3. You attribute malice where there is none. >> 4. This is volunteer work, where volunteers have everyones well-being >> in mind. >> 5. Threatening to go to journalists accomplishes... what? What makes >> you think journalists are NOT paying attention to this list? What >> makes you think journalists care about you? >> 6. I really, really, really, really, really hate the "Karen" meme. But >> it fits incredibly well here. >> 7. Where can I review your patches that fix the problem? > > To be honest, the original post contained link to PR 251152 where Steve Wills > posted patch 2020-12-07. What more patch is needed? The same patch again? > The fix was not committed for a 5 months > The sending of the data is not unintentional as the maintainer stated in his > comment #13 from 2020-12-29 > > Even the code in periodic/monthly/300.statistics is written in "very unusual > way". There are cases with 3 switches: > if YES = run it > if NO = tell user to enable it > if anything else = run it > > Is this how all periodic scripts should behave? I don't think so. It should > run if _enable="YES" and be silent in any other case. > > Again - the first patch was provided 5 months ago by Steve Wills and the > problem was not fixed to this day because maintainer thinks there is nothing > to fix. > > Your first jump in this thread with "lolwut" reaction was very far from > expected. Trying to neglect the problem, trying to say that FreeBSD is not > responsible for how packages behave in install time and nobody should be > upset that something sends data on install time... > > Kind reagards > Miroslav Lachman > >> 8. Entitlement mentality much? >> >> Sure, the bsdstats package shouldn't submit just on "pkg install." >> Instead of fixing the problem, you went the hostile route. >> >> I'm sure you won't learn anything from this, but I hope you do. To me, >> it reinforces how random people feel entitled to force their will on >> others. >> >> Thanks, >> > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Fri Apr 9 01:55:31 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BFF085C7246 for ; Fri, 9 Apr 2021 01:55:31 +0000 (UTC) (envelope-from pioto@pioto.org) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGh6W4rVsz3LKZ for ; Fri, 9 Apr 2021 01:55:31 +0000 (UTC) (envelope-from pioto@pioto.org) Received: by mail-lf1-x12f.google.com with SMTP id f17so89633lfu.7 for ; Thu, 08 Apr 2021 18:55:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pioto-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7ezm5gxQZgbkvE7j1nG3cwQzab1PxkGwtW1z2eUa4QM=; b=BZrPhO5D3Dlc+sdSj3J9Iv0yh/kT1GRBPUg+shQmkZhtH3GUMS/gF9IuFpEkouOViu 2+mGPrlvJiG0etNxE2LQ6WlzGMH0RfGRQPTX+6bKJTGce9MUvUGMT7AyZFh7/iKt0PgG gqMlsNJEVbb9pFlwH16Z2TUx6g8V3837P8dfLu023DhruZQp+/0cDtYIUw77Hx5vjCie ExCW6gyf6sD15XkW8DJfTBghMUXEyKFHW/hCF+TXe+rqWfUxUqdaLVMP88SCIuR7xvAs Qbd51oojx/d/6VpVlN/nki4eMADHT02g8PFVF/IKKn8y8GoV0mGG8j8biZcN0MtzfVIP 1Yqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7ezm5gxQZgbkvE7j1nG3cwQzab1PxkGwtW1z2eUa4QM=; b=sV8tf370w4MT7Fpdna2zgwF2oAMlnuQXocx42cO0ye2bG0WbbcVxzEPxOfOZ9QGdKK zdh6op9plQrOZOC1MupHHlRQs8/7nQ8DJ/qXpDbsIuvCJCh5zP9b1j6xRsDkjtM7r5fm 5Sbf+W1fGyCcx5obN5HIYwRCbux/4MZv/wcG5OPgzj3KSGgS7W5BcopjbldsWCk1VfVN m3up7axaer+p9O3geAAF/9Ty79xVU56jqCwWzjZZg1UDbafgu8adBUuANidzFxTlWzgb hX5udxujvdOFRYdmGRtU9lX9I9I5/dOMJPj3Dw12LOsxhMh8354A2Q2DlhwY6wQtzhbN t1KA== X-Gm-Message-State: AOAM533oVoa5CmVs4+qod7mLy0J4hSLoFozaERDKezHNsqXB4nNSbQBf GbT1FX0sSv0LpKisYun0IaVorjwjXpv1hgp/w0FY X-Google-Smtp-Source: ABdhPJwdRCxj6rZMcxdyC8sohAdMSHV9gUlA5Tw7Up9syTHDs7rmreLgmQP5b/tjV/C04K9ADxNBQs0kDvrPqCylewo= X-Received: by 2002:a05:6512:38c9:: with SMTP id p9mr8765254lft.572.1617933329385; Thu, 08 Apr 2021 18:55:29 -0700 (PDT) MIME-Version: 1.0 References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> In-Reply-To: From: Mike Kelly Date: Thu, 8 Apr 2021 21:55:18 -0400 Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Gordon Tetlow Cc: Stefan Blachmann , Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FGh6W4rVsz3LKZ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 01:55:31 -0000 On Wed, Apr 7, 2021 at 11:37 PM Gordon Tetlow via freebsd-security wrote: > > > Can it be ethically acceptable to put users at risk, for example by > > intentionally (?) not setting any limits to what extent installer > > scripts are allowed to collect sensitive user and system data and > > disclose them to interested third parties? > > This is an interesting point. Unfortunately, the technology we have gives= unfettered access to the system. I'm having a hard time thinking how we co= uld achieve the goal of installing software (which in our model requires ro= ot privileges) while also limiting what it is allowed to do on said system.= I'm not aware of any other package system (rpm, deb, etc) that has technic= al limits on pre/post installation scripts. If you are aware of any example= s, I'd love to see it to see if there is something we can incorporate. Patc= hes, as always, are welcome to improve the system. For what it's worth, there is some "prior art" in other package management systems for various levels of technical restrictions: * Gentoo's Portage uses a library called "Sandbox"[1], which uses the LD_PRELOAD mechanism to put it self "first in line", and it intercepts various lower level calls that way to mitigate risk. * Exherbo's Exheres packaging format (derived from Gentoo's) has their own sandboxing mechanisms[2] which are pretty broad in scope; I think under the hood it's using sydbox[3], which says it's using ptrace and seccomp to implement it (so it may be more resilient than an LD_PRELOAD approach). * Debian's FakeRoot[4], which seems to use a similar mechanism, but I think this is only applied during the binary package building. LD_PRELOAD based as well * InstallWatch[5] for RPM; seems like this isn't as maintained, so I can't find as many details, but again, I think this is only used during binary package builds That said, I think all these just help protect against accidental missteps, not malicious intent. There's obviously a lot of implicit trust when you're running someone else's software. [1] https://wiki.gentoo.org/wiki/Sandbox_(Portage) [2] https://exherbo.org/docs/eapi/exheres-for-smarties.html#sandboxing [3] https://github.com/sydbox/sydbox-1 [4] https://wiki.debian.org/FakeRoot [5] https://asic-linux.com.mx/~izto/checkinstall/installwatch.html --=20 Mike Kelly From owner-freebsd-security@freebsd.org Thu Apr 8 22:19:02 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8F9B5C260E for ; Thu, 8 Apr 2021 22:19:02 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGbJk4Dp2z4mdS; Thu, 8 Apr 2021 22:19:02 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: by mail-lf1-x12f.google.com with SMTP id v140so6543531lfa.4; Thu, 08 Apr 2021 15:19:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7FSF8IHSzlnQjXSvQ/ApQURABT9zpC4CP4eIHYz3SCU=; b=Zg7nJo/PBDdcXAJr9DLW8D0uIcNA9Iz7sJGrzCEUt8teT2vGAU6EBV039wwC9BCqQu oZTBCF9/F6JfznD/AaSc67ct85SjYFKbYrQ0QWecrUVsyT+Db9RRIUpSkQxEP40X+IfG NyrrXCVpIbmLTWaGbqslufiM0pjdpFrVhvx/1OFF5UCQVOUeBp0OsyPqmY+gwYfN+wfE wZamCzXPMfTSDwSZggmKF5l/PXF82o7wIfrStVaURkGEINyoSwI2r9MMaRDS4cuT8S78 /io6U/G3Lki78B/Oll57Jd7iyDZcSe356orlGWUT4WzhhWcsAHRUEayXA3AYklM8eMiM RxeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7FSF8IHSzlnQjXSvQ/ApQURABT9zpC4CP4eIHYz3SCU=; b=I59kSsRzqKpR2MwksJj37gvxxc1ZPqk4AAKrbhVpdipqhtK2mRaN+Yk65CDjptgNL7 U+K6y+m5A1Ai3VEVZ0yvw0PyFNEtTv1A347y0FT+GrF6/vg+5plQo/GvRBLwYN3OrVGJ 328c6Mt58ahvSdyRRs4j77BrcbWJGXyblSkLZcnAT/iugi7aI2rFjv5G7vEF65MkHiFv BQ7As5+cgkXgWdrPFJBYmpewbtvJXIb8p9FNhl9jFbgPkBFgEEi4DC8nFgxgW1crsZ3F 4C8q0xBgyig6cShEiDKq43QnnAi2vBI/0UYVK5Qa7DVFg9mA2TVfvQcAvBcwXQzbMMAg wUXA== X-Gm-Message-State: AOAM530lZ0mkDcMjvla1CS0UhveRvqfotLOgMnoZ8fFkvexzsp6gDP1D XpF/O8ZwY3TpWbPLy0xweD9O33BuX3XU7HRVia4= X-Google-Smtp-Source: ABdhPJyuNBXpCs+eZ1Abe3g1fM0xPYDzQUKB7ynASYTxwhdZ6vxiplrLcE+l2sLOAGzkQOV9aqBYEMgyTSEZLGiYH/c= X-Received: by 2002:ac2:424f:: with SMTP id m15mr4872307lfl.66.1617920340090; Thu, 08 Apr 2021 15:19:00 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:8e78:0:0:0:0:0 with HTTP; Thu, 8 Apr 2021 15:18:59 -0700 (PDT) In-Reply-To: <20210408162402.en6dxevum7se2ndj@mutt-hbsd> References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> From: Stefan Blachmann Date: Fri, 9 Apr 2021 00:18:59 +0200 Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Shawn Webb Cc: Gordon Tetlow , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FGbJk4Dp2z4mdS X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Mailman-Approved-At: Fri, 09 Apr 2021 09:22:03 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 22:19:02 -0000 The deeper-lying problem is the almost complete lack of policy what is allowed and not for installer scripts. And the complete lack of policy what to do in case of violations, no matter whether intentional or not. Other appstores (the pkg system is de facto an appstore) have policies that are being enforced to protect their customers, for example by (temporarily) taking down apps that behave dubiously. When in lack of agreed-upon rules/policies/laws the "police" does not dare to do anything, in fear to hurt anybody's feelings, isn't it then an useless placebo police? The issue has been reported and said to be fixed more than three months ago, and the problem still is there like if nothing had be done. If you are not able to understand that advocators and users get angry rightfully and want to have the deeper-lying issues addressed and solved, which have led to such problems, then this might be a complacency issue. And from another perspective, it might be seen as an entitlement mentality if developers expect users to fix their bugs, and even provide them with ready-to-use patches. I apologize if I hurt feelings by getting angered over this. But seeing quite some people having tried to get the issue solved in a quiet, polite manner without achieving any effective progress, indicated to me that this approach would not be fruitful. Sometimes it is necessary to raise the voice, even at the risk of making oneself unpopular. I would be happy if this incident would lead to a discussion and setting up rules/policies that in future can prevent such things happen and persist unsolved. On 4/8/21, Shawn Webb wrote: > On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote: >> The answers I got from both "Security Officers" surprised me so much >> that I had to let that settle a bit to understand the implications. >> >> >> Looking at the FreeBSD Porters' Handbook >> [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-ins= tall.html], >> it describes the purpose of the package pre- and postinstallation >> scripts as to "set up the package so that it is as ready to use as >> possible". >> >> It explicitly names only a few actions that are forbidden for them to >> do: "...must not be abused to start services, stop services, or run >> any other commands that will modify the currently running system." >> >> Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. >> Spying out the machine and its configuration, sending that data to an >> external entity =E2=80=93 perfectly OK. Not a problem at all. >> >> This has been proved by the handling of this last BSDstats security >> incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abuse= d to run >> spyware without the users=E2=80=99 pre-knowledge and without his content= . >> >> This abuse is apparently being considered acceptable by both FreeBSD >> and HardenedBSD security officers. >> Instead of taking action, you "security officers" tell the FreeBSD >> users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. >> Just because they trustingly installed software from the package repo >> hosted by FreeBSD, without religiously-carefully auditing every and >> each packages' pre- and postinstallation script before actual install, >> using the =E2=80=9Cpkg -I=E2=80=9D option. >> >> Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80= =9D of =E2=80=9CHardened >> BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of compete= nce to >> recognize obvious security problems. >> Like two fish caught with a single hook! > > 1. Ad hominem much? I understand the underlying problem very well. > 2. Your hostility is incredibly annoying. > 3. You attribute malice where there is none. > 4. This is volunteer work, where volunteers have everyones well-being > in mind. > 5. Threatening to go to journalists accomplishes... what? What makes > you think journalists are NOT paying attention to this list? What > makes you think journalists care about you? > 6. I really, really, really, really, really hate the "Karen" meme. But > it fits incredibly well here. > 7. Where can I review your patches that fix the problem? > 8. Entitlement mentality much? > > Sure, the bsdstats package shouldn't submit just on "pkg install." > Instead of fixing the problem, you went the hostile route. > > I'm sure you won't learn anything from this, but I hope you do. To me, > it reinforces how random people feel entitled to force their will on > others. > > Thanks, > > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/0= 3A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc > From owner-freebsd-security@freebsd.org Fri Apr 9 13:31:08 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 894C05B8944 for ; Fri, 9 Apr 2021 13:31:08 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGzY83LsWz4jj7; Fri, 9 Apr 2021 13:31:08 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 54891EC96; Fri, 9 Apr 2021 13:31:08 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f178.google.com with SMTP id i9so5772568qka.2; Fri, 09 Apr 2021 06:31:08 -0700 (PDT) X-Gm-Message-State: AOAM530q0cF9hFRfFUtAwZJsMwX+mz/vdvQQHf1xdE6TrJq6jboSNIzX SrN6RuDr1vwt9XwB0Em8jNsdugX84ckQR+Dmqrg= X-Google-Smtp-Source: ABdhPJyiI3+Pej+GPFfWt83/6LxcQp2LtueoKOn+6EijZNMwtaB4/VHAJUqpfUbHMGN2AEF2brxBp++RiWlw3FKm8mQ= X-Received: by 2002:a05:620a:798:: with SMTP id 24mr13940886qka.493.1617975067902; Fri, 09 Apr 2021 06:31:07 -0700 (PDT) MIME-Version: 1.0 References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> In-Reply-To: From: Kyle Evans Date: Fri, 9 Apr 2021 08:30:55 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Stefan Blachmann Cc: Shawn Webb , Gordon Tetlow , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, Colin Percival Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 13:31:08 -0000 I won't try to address everything you've said, but here's some thoughts that came to mind as I read this: It's been acknowledged that this is doing something that an install script really shouldn't be doing; while there's no written policy (maybe, I haven't looked again) there's definitely at least a social convention that generally gets followed. Sometimes things slip through the cracks. I would propose that a more effective solution would have been an e-mail to -ports@ or hopping on IRC to get someone to commit the patch that was sitting there and, in a calmer tone, expressing that you think this issue is more urgent than it had been treated up to that point. I was personally put off by your initial post here, and thus less likely to follow through with it as a result as a ports committer. The other point that I'd like to bring up is that ports is delegated ports-secteam@ purview, so this was misguided anyways as secteam should be more of a last resort for ports-specific issues. Thanks, Kyle Evans On Fri, Apr 9, 2021 at 4:22 AM Stefan Blachmann wrot= e: > > The deeper-lying problem is the almost complete lack of policy what is > allowed and not for installer scripts. > And the complete lack of policy what to do in case of violations, no > matter whether intentional or not. > > Other appstores (the pkg system is de facto an appstore) have policies > that are being enforced to protect their customers, for example by > (temporarily) taking down apps that behave dubiously. > > When in lack of agreed-upon rules/policies/laws the "police" does not > dare to do anything, in fear to hurt anybody's feelings, isn't it then > an useless placebo police? > > The issue has been reported and said to be fixed more than three > months ago, and the problem still is there like if nothing had be > done. > > If you are not able to understand that advocators and users get angry > rightfully and want to have the deeper-lying issues addressed and > solved, which have led to such problems, then this might be a > complacency issue. > And from another perspective, it might be seen as an entitlement > mentality if developers expect users to fix their bugs, and even > provide them with ready-to-use patches. > > I apologize if I hurt feelings by getting angered over this. > But seeing quite some people having tried to get the issue solved in a > quiet, polite manner without achieving any effective progress, > indicated to me that this approach would not be fruitful. > Sometimes it is necessary to raise the voice, even at the risk of > making oneself unpopular. > > I would be happy if this incident would lead to a discussion and > setting up rules/policies that in future can prevent such things > happen and persist unsolved. > > On 4/8/21, Shawn Webb wrote: > > On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote: > >> The answers I got from both "Security Officers" surprised me so much > >> that I had to let that settle a bit to understand the implications. > >> > >> > >> Looking at the FreeBSD Porters' Handbook > >> [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-i= nstall.html], > >> it describes the purpose of the package pre- and postinstallation > >> scripts as to "set up the package so that it is as ready to use as > >> possible". > >> > >> It explicitly names only a few actions that are forbidden for them to > >> do: "...must not be abused to start services, stop services, or run > >> any other commands that will modify the currently running system." > >> > >> Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > >> Spying out the machine and its configuration, sending that data to an > >> external entity =E2=80=93 perfectly OK. Not a problem at all. > >> > >> This has been proved by the handling of this last BSDstats security > >> incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abu= sed to run > >> spyware without the users=E2=80=99 pre-knowledge and without his conte= nt. > >> > >> This abuse is apparently being considered acceptable by both FreeBSD > >> and HardenedBSD security officers. > >> Instead of taking action, you "security officers" tell the FreeBSD > >> users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > >> Just because they trustingly installed software from the package repo > >> hosted by FreeBSD, without religiously-carefully auditing every and > >> each packages' pre- and postinstallation script before actual install, > >> using the =E2=80=9Cpkg -I=E2=80=9D option. > >> > >> Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80= =9D of =E2=80=9CHardened > >> BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of compe= tence to > >> recognize obvious security problems. > >> Like two fish caught with a single hook! > > > > 1. Ad hominem much? I understand the underlying problem very well. > > 2. Your hostility is incredibly annoying. > > 3. You attribute malice where there is none. > > 4. This is volunteer work, where volunteers have everyones well-being > > in mind. > > 5. Threatening to go to journalists accomplishes... what? What makes > > you think journalists are NOT paying attention to this list? What > > makes you think journalists care about you? > > 6. I really, really, really, really, really hate the "Karen" meme. But > > it fits incredibly well here. > > 7. Where can I review your patches that fix the problem? > > 8. Entitlement mentality much? > > > > Sure, the bsdstats package shouldn't submit just on "pkg install." > > Instead of fixing the problem, you went the hostile route. > > > > I'm sure you won't learn anything from this, but I hope you do. To me, > > it reinforces how random people feel entitled to force their will on > > others. > > > > Thanks, > > > > -- > > Shawn Webb > > Cofounder / Security Engineer > > HardenedBSD > > > > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb= /03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" From owner-freebsd-security@freebsd.org Fri Apr 9 16:37:52 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 21AB55BD3E6 for ; Fri, 9 Apr 2021 16:37:52 +0000 (UTC) (envelope-from johannes@perceivon.net) Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FH3hc08gXz4swx for ; Fri, 9 Apr 2021 16:37:51 +0000 (UTC) (envelope-from johannes@perceivon.net) Received: by mail-lj1-x22b.google.com with SMTP id z8so7165935ljm.12 for ; Fri, 09 Apr 2021 09:37:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meixner-ch.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=06v7C5AaLq5+zeEPIAihpOBeiupteFsSBWqeRKEzni8=; b=1sR8CXIdqewoUzVrDiERBZYGQkqH5r/+uxYUyQJBawSnkCHzIyIy56LNzBwXY5+1Ot omVrcLw30ifg4taO9e88+FItxgw34+yoqjWP37wA4aZUQXFUHixBv0hXPp2pLuiK9V3Q jW5KTRaN3ucQOziaqL/x128yEOsXpAsLafz5XjKN8jklQmZQ1YVXlzqSCh0i1EPJjlAG iJyvoDN+CP/myCIAOf0m/d7jyV02lUbkqBTXu3x8dALZAtrPCXznf7F85UAuFpn8TsW4 c3Y65Gju1pU/8MC0tdkZgtHNHRdYtccFdRzsFHYbHs3oOUgZs9fgN0xiEJnMruk3N1bN 9qxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=06v7C5AaLq5+zeEPIAihpOBeiupteFsSBWqeRKEzni8=; b=SeLdzbmiRS0HH4WLxL58cb3jNI/Mxg6uUWq2v7Qx3AK5y0FB2ijEL00+FXHs8dBF+S pickrKzGzwC4FxYQcarW/yD9ZoFkuK3RW8Ch/ji/atAc7AsLWo1Iqedv5JaX2ByUSy2r jqUVsqJqJ7eWtCk5IWd42x8qpmAtqM7FOcObj7kBaZxXHhAa7WlBueoMFWpPVscHbfPE kEzwb9T1S7GreQF1ecxX3yEiXqXDnKEE0g4bdkDtkWMqPqaWvSgHbgZWIw8aG703OAsj +7AsRr4hF6AMSlhuYKqHjrphfjKmbpDr6KLVKuyy1WIo4xhcjIIj2Q/RXP27D7vAIP2J X/Sw== X-Gm-Message-State: AOAM533HqOq/txkOzMU3/pn1mr7Mp//cNz12xsiQxxnHuXAuQ0EUfeVK Yr8N8p1v2QAO7qn6DTNxkAWEBTq4WN5ap1OD986bc+ZfZRs= X-Google-Smtp-Source: ABdhPJx3clTYTYnMl7hGzJr35yG8R0MfDZm8JajAAAEKbU4AHkGczJXDePqUddSo23T4Sd4VPb4u3aS5XYTsrYa4ZHw= X-Received: by 2002:a2e:b4b4:: with SMTP id q20mr9616180ljm.45.1617986269098; Fri, 09 Apr 2021 09:37:49 -0700 (PDT) MIME-Version: 1.0 References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> In-Reply-To: From: Johannes Meixner Date: Fri, 9 Apr 2021 18:37:37 +0200 Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Stefan Blachmann Cc: freebsd-security X-Rspamd-Queue-Id: 4FH3hc08gXz4swx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Mailman-Approved-At: Fri, 09 Apr 2021 20:04:14 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 16:37:52 -0000 This is getting tiresome. Please have a look the relevant handbook passage before shitpoasting on a security mailing list. At https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install= .html you can find strongly worded notes on this topic. Important: This script is here to help you set up the package so that it is as ready to use as possible. It *must not* be abused to start services, stop services, or run any other commands that will modify the currently running system. Which part of "must not" is unclear? Lapses happen - we have policies to prevent them ahead of time and yet, things can still fall through. Get on with it. On Fri, 9 Apr 2021, 11:22 Stefan Blachmann, wrote: > The deeper-lying problem is the almost complete lack of policy what is > allowed and not for installer scripts. > And the complete lack of policy what to do in case of violations, no > matter whether intentional or not. > > Other appstores (the pkg system is de facto an appstore) have policies > that are being enforced to protect their customers, for example by > (temporarily) taking down apps that behave dubiously. > > When in lack of agreed-upon rules/policies/laws the "police" does not > dare to do anything, in fear to hurt anybody's feelings, isn't it then > an useless placebo police? > > The issue has been reported and said to be fixed more than three > months ago, and the problem still is there like if nothing had be > done. > > If you are not able to understand that advocators and users get angry > rightfully and want to have the deeper-lying issues addressed and > solved, which have led to such problems, then this might be a > complacency issue. > And from another perspective, it might be seen as an entitlement > mentality if developers expect users to fix their bugs, and even > provide them with ready-to-use patches. > > I apologize if I hurt feelings by getting angered over this. > But seeing quite some people having tried to get the issue solved in a > quiet, polite manner without achieving any effective progress, > indicated to me that this approach would not be fruitful. > Sometimes it is necessary to raise the voice, even at the risk of > making oneself unpopular. > > I would be happy if this incident would lead to a discussion and > setting up rules/policies that in future can prevent such things > happen and persist unsolved. > > On 4/8/21, Shawn Webb wrote: > > On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote: > >> The answers I got from both "Security Officers" surprised me so much > >> that I had to let that settle a bit to understand the implications. > >> > >> > >> Looking at the FreeBSD Porters' Handbook > >> [ > https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-insta= ll.html > ], > >> it describes the purpose of the package pre- and postinstallation > >> scripts as to "set up the package so that it is as ready to use as > >> possible". > >> > >> It explicitly names only a few actions that are forbidden for them to > >> do: "...must not be abused to start services, stop services, or run > >> any other commands that will modify the currently running system." > >> > >> Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > >> Spying out the machine and its configuration, sending that data to an > >> external entity =E2=80=93 perfectly OK. Not a problem at all. > >> > >> This has been proved by the handling of this last BSDstats security > >> incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abu= sed to run > >> spyware without the users=E2=80=99 pre-knowledge and without his conte= nt. > >> > >> This abuse is apparently being considered acceptable by both FreeBSD > >> and HardenedBSD security officers. > >> Instead of taking action, you "security officers" tell the FreeBSD > >> users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > >> Just because they trustingly installed software from the package repo > >> hosted by FreeBSD, without religiously-carefully auditing every and > >> each packages' pre- and postinstallation script before actual install, > >> using the =E2=80=9Cpkg -I=E2=80=9D option. > >> > >> Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80= =9D of =E2=80=9CHardened > >> BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of compe= tence to > >> recognize obvious security problems. > >> Like two fish caught with a single hook! > > > > 1. Ad hominem much? I understand the underlying problem very well. > > 2. Your hostility is incredibly annoying. > > 3. You attribute malice where there is none. > > 4. This is volunteer work, where volunteers have everyones well-being > > in mind. > > 5. Threatening to go to journalists accomplishes... what? What makes > > you think journalists are NOT paying attention to this list? What > > makes you think journalists care about you? > > 6. I really, really, really, really, really hate the "Karen" meme. But > > it fits incredibly well here. > > 7. Where can I review your patches that fix the problem? > > 8. Entitlement mentality much? > > > > Sure, the bsdstats package shouldn't submit just on "pkg install." > > Instead of fixing the problem, you went the hostile route. > > > > I'm sure you won't learn anything from this, but I hope you do. To me, > > it reinforces how random people feel entitled to force their will on > > others. > > > > Thanks, > > > > -- > > Shawn Webb > > Cofounder / Security Engineer > > HardenedBSD > > > > > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/0= 3A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " >