From owner-freebsd-bugs@FreeBSD.ORG Thu Apr 10 16:30:01 2014 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 00864335 for ; Thu, 10 Apr 2014 16:30:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B9DE016A4 for ; Thu, 10 Apr 2014 16:30:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3AGU0nZ042090 for ; Thu, 10 Apr 2014 16:30:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3AGU0eA042089; Thu, 10 Apr 2014 16:30:00 GMT (envelope-from gnats) Resent-Date: Thu, 10 Apr 2014 16:30:00 GMT Resent-Message-Id: <201404101630.s3AGU0eA042089@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, David Noel Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE865266 for ; Thu, 10 Apr 2014 16:24:06 +0000 (UTC) Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ABBEC164E for ; Thu, 10 Apr 2014 16:24:06 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s3AGO6Pa034930 for ; Thu, 10 Apr 2014 16:24:06 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s3AGO6Rv034923; Thu, 10 Apr 2014 16:24:06 GMT (envelope-from nobody) Message-Id: <201404101624.s3AGO6Rv034923@cgiserv.freebsd.org> Date: Thu, 10 Apr 2014 16:24:06 GMT From: David Noel To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/188429: MITM attacks against freebsd-update X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 16:30:01 -0000 >Number: 188429 >Category: kern >Synopsis: MITM attacks against freebsd-update >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 10 16:30:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: David Noel >Release: 9.2 >Organization: >Environment: >Description: freebsd-update.sh extracts fetched data prior to its SHA256 verification. The extraction libraries used have a long history of bugs so it’s reasonable to assume there might be more. freebsd-update runs as root. Using a vulnerability in the decompression libraries an attacker who was MITM-capable could compromise any FreeBSD system running freebsd-update. >How-To-Repeat: >Fix: Solution Summary: a re-working of the snapshot hashing and hash verification process. The functions of concern in freebsd-update.sh are fetch_metadata(), fetch_files_premerge(), and fetch_files(). >Release-Note: >Audit-Trail: >Unformatted: