From owner-freebsd-security@freebsd.org Fri Apr 9 13:31:08 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 894C05B8944 for ; Fri, 9 Apr 2021 13:31:08 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGzY83LsWz4jj7; Fri, 9 Apr 2021 13:31:08 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 54891EC96; Fri, 9 Apr 2021 13:31:08 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f178.google.com with SMTP id i9so5772568qka.2; Fri, 09 Apr 2021 06:31:08 -0700 (PDT) X-Gm-Message-State: AOAM530q0cF9hFRfFUtAwZJsMwX+mz/vdvQQHf1xdE6TrJq6jboSNIzX SrN6RuDr1vwt9XwB0Em8jNsdugX84ckQR+Dmqrg= X-Google-Smtp-Source: ABdhPJyiI3+Pej+GPFfWt83/6LxcQp2LtueoKOn+6EijZNMwtaB4/VHAJUqpfUbHMGN2AEF2brxBp++RiWlw3FKm8mQ= X-Received: by 2002:a05:620a:798:: with SMTP id 24mr13940886qka.493.1617975067902; Fri, 09 Apr 2021 06:31:07 -0700 (PDT) MIME-Version: 1.0 References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> In-Reply-To: From: Kyle Evans Date: Fri, 9 Apr 2021 08:30:55 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Stefan Blachmann Cc: Shawn Webb , Gordon Tetlow , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, Colin Percival Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 13:31:08 -0000 I won't try to address everything you've said, but here's some thoughts that came to mind as I read this: It's been acknowledged that this is doing something that an install script really shouldn't be doing; while there's no written policy (maybe, I haven't looked again) there's definitely at least a social convention that generally gets followed. Sometimes things slip through the cracks. I would propose that a more effective solution would have been an e-mail to -ports@ or hopping on IRC to get someone to commit the patch that was sitting there and, in a calmer tone, expressing that you think this issue is more urgent than it had been treated up to that point. I was personally put off by your initial post here, and thus less likely to follow through with it as a result as a ports committer. The other point that I'd like to bring up is that ports is delegated ports-secteam@ purview, so this was misguided anyways as secteam should be more of a last resort for ports-specific issues. Thanks, Kyle Evans On Fri, Apr 9, 2021 at 4:22 AM Stefan Blachmann wrot= e: > > The deeper-lying problem is the almost complete lack of policy what is > allowed and not for installer scripts. > And the complete lack of policy what to do in case of violations, no > matter whether intentional or not. > > Other appstores (the pkg system is de facto an appstore) have policies > that are being enforced to protect their customers, for example by > (temporarily) taking down apps that behave dubiously. > > When in lack of agreed-upon rules/policies/laws the "police" does not > dare to do anything, in fear to hurt anybody's feelings, isn't it then > an useless placebo police? > > The issue has been reported and said to be fixed more than three > months ago, and the problem still is there like if nothing had be > done. > > If you are not able to understand that advocators and users get angry > rightfully and want to have the deeper-lying issues addressed and > solved, which have led to such problems, then this might be a > complacency issue. > And from another perspective, it might be seen as an entitlement > mentality if developers expect users to fix their bugs, and even > provide them with ready-to-use patches. > > I apologize if I hurt feelings by getting angered over this. > But seeing quite some people having tried to get the issue solved in a > quiet, polite manner without achieving any effective progress, > indicated to me that this approach would not be fruitful. > Sometimes it is necessary to raise the voice, even at the risk of > making oneself unpopular. > > I would be happy if this incident would lead to a discussion and > setting up rules/policies that in future can prevent such things > happen and persist unsolved. > > On 4/8/21, Shawn Webb wrote: > > On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote: > >> The answers I got from both "Security Officers" surprised me so much > >> that I had to let that settle a bit to understand the implications. > >> > >> > >> Looking at the FreeBSD Porters' Handbook > >> [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-i= nstall.html], > >> it describes the purpose of the package pre- and postinstallation > >> scripts as to "set up the package so that it is as ready to use as > >> possible". > >> > >> It explicitly names only a few actions that are forbidden for them to > >> do: "...must not be abused to start services, stop services, or run > >> any other commands that will modify the currently running system." > >> > >> Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > >> Spying out the machine and its configuration, sending that data to an > >> external entity =E2=80=93 perfectly OK. Not a problem at all. > >> > >> This has been proved by the handling of this last BSDstats security > >> incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abu= sed to run > >> spyware without the users=E2=80=99 pre-knowledge and without his conte= nt. > >> > >> This abuse is apparently being considered acceptable by both FreeBSD > >> and HardenedBSD security officers. > >> Instead of taking action, you "security officers" tell the FreeBSD > >> users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > >> Just because they trustingly installed software from the package repo > >> hosted by FreeBSD, without religiously-carefully auditing every and > >> each packages' pre- and postinstallation script before actual install, > >> using the =E2=80=9Cpkg -I=E2=80=9D option. > >> > >> Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80= =9D of =E2=80=9CHardened > >> BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of compe= tence to > >> recognize obvious security problems. > >> Like two fish caught with a single hook! > > > > 1. Ad hominem much? I understand the underlying problem very well. > > 2. Your hostility is incredibly annoying. > > 3. You attribute malice where there is none. > > 4. This is volunteer work, where volunteers have everyones well-being > > in mind. > > 5. Threatening to go to journalists accomplishes... what? What makes > > you think journalists are NOT paying attention to this list? What > > makes you think journalists care about you? > > 6. I really, really, really, really, really hate the "Karen" meme. But > > it fits incredibly well here. > > 7. Where can I review your patches that fix the problem? > > 8. Entitlement mentality much? > > > > Sure, the bsdstats package shouldn't submit just on "pkg install." > > Instead of fixing the problem, you went the hostile route. > > > > I'm sure you won't learn anything from this, but I hope you do. To me, > > it reinforces how random people feel entitled to force their will on > > others. > > > > Thanks, > > > > -- > > Shawn Webb > > Cofounder / Security Engineer > > HardenedBSD > > > > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb= /03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g"