From owner-freebsd-security@freebsd.org Tue Apr 6 14:27:37 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B70D5D3223 for ; Tue, 6 Apr 2021 14:27:37 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF8xj3j8xz3Fj4 for ; Tue, 6 Apr 2021 14:27:37 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk1-x72a.google.com with SMTP id c3so15097012qkc.5 for ; Tue, 06 Apr 2021 07:27:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=ffmb/7IQBZ2id5Pa3B4GkQWAAK3j+zfKEZhl89jqXH0=; b=Gn0GeIJeoRA5rHzrkVc81//2KAqyFvbBkCYThAUuldTOrMAvKbveGHlyLB+9pA+DU6 e7MvLyYNGyerq8Zy8ePZxUlLmB11pNXfvcUhp+jdgq8OMGCUhdvLhSzs9rQHn0Itt11F KEQSKAk6CEJzpa+fMa34oFbl1MEbthXSV4Ag/SmvO+VQoGfcfMMaozBOfxICAfP4R7Oz JZZpaCqgXhGnkW1O+LyPyXHCYYuP+jE22K9ExE/TTCZAq0u7AgzxdvMbc823sWHvsjee /wsOnuocfM7Xu+eUkXigCut9k9Tmggztg4Fh40++gcB8m13zfqwyKaSE4pL+QkHmmG3T cl+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=ffmb/7IQBZ2id5Pa3B4GkQWAAK3j+zfKEZhl89jqXH0=; b=WqTyCPHhI6tvMdyNFUssBcpQJe2ii4Wqq9TCMyyTTDpCbgc71D3yNnZVHFLaMpSSun VfxEK7vGRFCxRZ0Lb7Bv152vZEcJPRumhAP3+tr8zB+AOVB7TBvoJ4u6DbwOv4XFPeZ3 o8Kn9cBEslil6ePc651+6BbL+Ecmi27MLCOfAR2iazvxkLOu5lqcM2ZD43goomRO/Pj3 FUKlWI635gzwykFG5pfefstW7sR5aNACyQ78kJ158XyCD7vaDQK9gmTXUzcIe1Y2ZU9t 0i0A+SNQmA3S3nzXagXkokyTG+w4jQN7iuFei41gf2TJKNIcGHtBIShi5he1m1PaYLUQ 0Wsw== X-Gm-Message-State: AOAM5314ZBKzQ3KT/AkbCrx1clvLX/88bbKPt31qHxwqpSLuQD5Vf2YY BAZ0w1E4Ve7FFUHQ3Nxum2a1kA== X-Google-Smtp-Source: ABdhPJwxZMbBS77s55GIPb7aJ+Y9juGbyVAU9s1Giv7HYEdeT3x9NeCcVpZNVa1/j6WTrL3/preMmg== X-Received: by 2002:a05:620a:1528:: with SMTP id n8mr29467540qkk.329.1617719256234; Tue, 06 Apr 2021 07:27:36 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id m16sm15747276qkm.100.2021.04.06.07.27.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Apr 2021 07:27:35 -0700 (PDT) Date: Tue, 6 Apr 2021 10:27:35 -0400 From: Shawn Webb To: Stefan Blachmann Cc: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mhc3sfjligbmwixk" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4FF8xj3j8xz3Fj4 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 14:27:37 -0000 --mhc3sfjligbmwixk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote: > Hello, >=20 > I had a very distressing experience today. > I installed a package to view its scripts (and *not* to run them!). >=20 > I was shocked when pkg told me that my system configuration, including > which packages and their versions are installed on my system, has been > sent to an external entity, without asking for my content. >=20 > This is a security leak as well as a breach of EU data protection > rules, but above all, it is a breach of trust of the unsuspecting > FreeBSD users. >=20 > Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 > And read my experience in this and the following forum posts: > https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitan= ts.79669/post-504430 >=20 > If this does not get fixed in short time, I will contact ArsTechnica, > TheRegister and some other reputed IT news outlets, to create public > pressure to get the issue resolved. >=20 > So please get this fixed and report back. 1. BSDStats isn't run/maintained by the FreeBSD project. File the report with the BSDStats project, not FreeBSD. 2. You install a package that is made to submit statistical data. 3. You're upset that it submits statistical data? lolwut, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --mhc3sfjligbmwixk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBsb9QACgkQ/y5nonf4 4fqJKw/+Ka6325Pk6m4RZpdXLjkqYsIliPqPnK1eYFS+I0tBQbZTf4w8T/mRM1nQ j31dirVLvIuac2/VWlQTMKNWmpshLgC/gcu6CdSPj+LF0Uc6s0N/uzTMFa1ZP2Un +BcXHO3GHkx9PgiPLmlD/zvNQEwik5X1zhI6vxQOnUuGNF+wvcq3e0H1+lpVF9B8 3QJgbLT+5mlrV9HPWZo0xaDGSa7xTMtaai7E+tHWHnvG2ShMSORIWA+aZ355g2ol PdiJs+e5qroG0O9OYGc7+9AsWau3Z8HqD7fJhHBPuT6JUW15+M8InVUj7S6uDTh7 eFJY+GuBu0HkZe6k8tNQuGI/In+iQoDbGAQiWX8Q1kuLiYSO0B8OmJDkL7ZxAt7c O6+U7gXanpKL8hoUikOUxfblH6Jh8HpGZ0WMd+JAIMwNEuGb7cVtvsTcZ0MFx+j8 GPDoSEZ9FoFqXlzjDtEJgShTVAYpG0k+ftLFkMgezebMja8OK0hAMqN9v1KlFJYp xwMgI0EiZh7k3h7XaylGd7uP6+wSjizp/Oaj8lZhZJaXnt0Y3Rokom1M0Xw8Vv9u 9As9uoI53F3RsJzNGp95D1oxHREcldFqhcQos1XYPb2WfWH3kQKwXVZiWVy7FvsH wM0dBCmMHXTzq8KxgfbnXF9+U8Sh4TWhkOrLvyky+WHq+jGUpnw= =+cPv -----END PGP SIGNATURE----- --mhc3sfjligbmwixk--