From owner-freebsd-security@freebsd.org Thu Apr 8 22:19:02 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8F9B5C260E for ; Thu, 8 Apr 2021 22:19:02 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGbJk4Dp2z4mdS; Thu, 8 Apr 2021 22:19:02 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: by mail-lf1-x12f.google.com with SMTP id v140so6543531lfa.4; Thu, 08 Apr 2021 15:19:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7FSF8IHSzlnQjXSvQ/ApQURABT9zpC4CP4eIHYz3SCU=; b=Zg7nJo/PBDdcXAJr9DLW8D0uIcNA9Iz7sJGrzCEUt8teT2vGAU6EBV039wwC9BCqQu oZTBCF9/F6JfznD/AaSc67ct85SjYFKbYrQ0QWecrUVsyT+Db9RRIUpSkQxEP40X+IfG NyrrXCVpIbmLTWaGbqslufiM0pjdpFrVhvx/1OFF5UCQVOUeBp0OsyPqmY+gwYfN+wfE wZamCzXPMfTSDwSZggmKF5l/PXF82o7wIfrStVaURkGEINyoSwI2r9MMaRDS4cuT8S78 /io6U/G3Lki78B/Oll57Jd7iyDZcSe356orlGWUT4WzhhWcsAHRUEayXA3AYklM8eMiM RxeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7FSF8IHSzlnQjXSvQ/ApQURABT9zpC4CP4eIHYz3SCU=; b=I59kSsRzqKpR2MwksJj37gvxxc1ZPqk4AAKrbhVpdipqhtK2mRaN+Yk65CDjptgNL7 U+K6y+m5A1Ai3VEVZ0yvw0PyFNEtTv1A347y0FT+GrF6/vg+5plQo/GvRBLwYN3OrVGJ 328c6Mt58ahvSdyRRs4j77BrcbWJGXyblSkLZcnAT/iugi7aI2rFjv5G7vEF65MkHiFv BQ7As5+cgkXgWdrPFJBYmpewbtvJXIb8p9FNhl9jFbgPkBFgEEi4DC8nFgxgW1crsZ3F 4C8q0xBgyig6cShEiDKq43QnnAi2vBI/0UYVK5Qa7DVFg9mA2TVfvQcAvBcwXQzbMMAg wUXA== X-Gm-Message-State: AOAM530lZ0mkDcMjvla1CS0UhveRvqfotLOgMnoZ8fFkvexzsp6gDP1D XpF/O8ZwY3TpWbPLy0xweD9O33BuX3XU7HRVia4= X-Google-Smtp-Source: ABdhPJyuNBXpCs+eZ1Abe3g1fM0xPYDzQUKB7ynASYTxwhdZ6vxiplrLcE+l2sLOAGzkQOV9aqBYEMgyTSEZLGiYH/c= X-Received: by 2002:ac2:424f:: with SMTP id m15mr4872307lfl.66.1617920340090; Thu, 08 Apr 2021 15:19:00 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:8e78:0:0:0:0:0 with HTTP; Thu, 8 Apr 2021 15:18:59 -0700 (PDT) In-Reply-To: <20210408162402.en6dxevum7se2ndj@mutt-hbsd> References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> From: Stefan Blachmann Date: Fri, 9 Apr 2021 00:18:59 +0200 Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Shawn Webb Cc: Gordon Tetlow , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FGbJk4Dp2z4mdS X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Mailman-Approved-At: Fri, 09 Apr 2021 09:22:03 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 22:19:02 -0000 The deeper-lying problem is the almost complete lack of policy what is allowed and not for installer scripts. And the complete lack of policy what to do in case of violations, no matter whether intentional or not. Other appstores (the pkg system is de facto an appstore) have policies that are being enforced to protect their customers, for example by (temporarily) taking down apps that behave dubiously. When in lack of agreed-upon rules/policies/laws the "police" does not dare to do anything, in fear to hurt anybody's feelings, isn't it then an useless placebo police? The issue has been reported and said to be fixed more than three months ago, and the problem still is there like if nothing had be done. If you are not able to understand that advocators and users get angry rightfully and want to have the deeper-lying issues addressed and solved, which have led to such problems, then this might be a complacency issue. And from another perspective, it might be seen as an entitlement mentality if developers expect users to fix their bugs, and even provide them with ready-to-use patches. I apologize if I hurt feelings by getting angered over this. But seeing quite some people having tried to get the issue solved in a quiet, polite manner without achieving any effective progress, indicated to me that this approach would not be fruitful. Sometimes it is necessary to raise the voice, even at the risk of making oneself unpopular. I would be happy if this incident would lead to a discussion and setting up rules/policies that in future can prevent such things happen and persist unsolved. On 4/8/21, Shawn Webb wrote: > On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote: >> The answers I got from both "Security Officers" surprised me so much >> that I had to let that settle a bit to understand the implications. >> >> >> Looking at the FreeBSD Porters' Handbook >> [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-ins= tall.html], >> it describes the purpose of the package pre- and postinstallation >> scripts as to "set up the package so that it is as ready to use as >> possible". >> >> It explicitly names only a few actions that are forbidden for them to >> do: "...must not be abused to start services, stop services, or run >> any other commands that will modify the currently running system." >> >> Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. >> Spying out the machine and its configuration, sending that data to an >> external entity =E2=80=93 perfectly OK. Not a problem at all. >> >> This has been proved by the handling of this last BSDstats security >> incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abuse= d to run >> spyware without the users=E2=80=99 pre-knowledge and without his content= . >> >> This abuse is apparently being considered acceptable by both FreeBSD >> and HardenedBSD security officers. >> Instead of taking action, you "security officers" tell the FreeBSD >> users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. >> Just because they trustingly installed software from the package repo >> hosted by FreeBSD, without religiously-carefully auditing every and >> each packages' pre- and postinstallation script before actual install, >> using the =E2=80=9Cpkg -I=E2=80=9D option. >> >> Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80= =9D of =E2=80=9CHardened >> BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of compete= nce to >> recognize obvious security problems. >> Like two fish caught with a single hook! > > 1. Ad hominem much? I understand the underlying problem very well. > 2. Your hostility is incredibly annoying. > 3. You attribute malice where there is none. > 4. This is volunteer work, where volunteers have everyones well-being > in mind. > 5. Threatening to go to journalists accomplishes... what? What makes > you think journalists are NOT paying attention to this list? What > makes you think journalists care about you? > 6. I really, really, really, really, really hate the "Karen" meme. But > it fits incredibly well here. > 7. Where can I review your patches that fix the problem? > 8. Entitlement mentality much? > > Sure, the bsdstats package shouldn't submit just on "pkg install." > Instead of fixing the problem, you went the hostile route. > > I'm sure you won't learn anything from this, but I hope you do. To me, > it reinforces how random people feel entitled to force their will on > others. > > Thanks, > > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/0= 3A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc >