From owner-freebsd-ports-bugs@freebsd.org  Mon Nov 13 11:57:27 2017
Return-Path: <owner-freebsd-ports-bugs@freebsd.org>
Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59D1ADB81A9
 for <freebsd-ports-bugs@mailman.ysv.freebsd.org>;
 Mon, 13 Nov 2017 11:57:27 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 307836B1B9
 for <freebsd-ports-bugs@FreeBSD.org>; Mon, 13 Nov 2017 11:57:27 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vADBvQPn077512
 for <freebsd-ports-bugs@FreeBSD.org>; Mon, 13 Nov 2017 11:57:27 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-ports-bugs@FreeBSD.org
Subject: [Bug 223647] net/chrony: remove dubious security warning
Date: Mon, 13 Nov 2017 11:57:26 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: decke@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
 flagtypes.name
Message-ID: <bug-223647-13@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 11:57:27 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223647

            Bug ID: 223647
           Summary: net/chrony: remove dubious security warning
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: decke@FreeBSD.org
                CC: yonas@fizk.net
                CC: yonas@fizk.net
             Flags: maintainer-feedback?(yonas@fizk.net)

The chrony port has since it's appearance in the ports tree in r350635 (Apr=
il
2014) the following security warning after installation:

"Unfortunately, this software has shameful history of several vulnerabiliti=
es
previously discovered.  FreeBSD Project cannot guarantee that this spree had
come to an end.  It is further complicated, as chronyd(8) requires superuser
permissions to operate; please type ``make deinstall'' to deinstall the port
if tight security is a concern."

The "requires superuser" part has become invalid in 2017 with r434012 when =
the
maintainer decided to use the privilege dropping feature in the port. In the
chrony code it seems this code was available for a very long time already.

What remains is a dubious security warning for the chrony port without any
technical arguments. In the FreeBSD portstree it's not our job to tell our
"feelings" about probable future security risks. We should provide CVE and =
CPE
information (already exists in the port) and warn people about EXISTING and
KNOWN vulnerabilities.

In addition to that a recent security audit exists which came to a complete=
ly
different conclusion about the chrony security situation:

"The overwhelmingly positive result of this security assignment performed by
three Cure53 testers can be clearly inferred from a marginal number and
low-risk nature of the findings amassed in this report. Withstanding eleven
full days of on-remote testing in August of 2017 means that Chrony is robus=
t,
strong, and developed with security in mind. The software boasts sound desi=
gn
and is secure across all tested areas. It is quite safe to assume that unte=
sted
software in the Chrony family is of a similarly exceptional quality. In
general, the software proved to be well-structured and marked by the right
abstractions at the appropriate locations. While the functional scope of the
software is quite wide, the actual implementation is surprisingly elegant a=
nd
of a minimal and just necessary complexity. In sum, the Chrony NTP software
stands solid and can be seen as trustworthy."

https://www.linuxfoundation.org/blog/cii-audit-identifies-secure-ntp-implem=
entation/

https://wiki.mozilla.org/images/e/e4/Chrony-report.pdf


The longterm CVE history also seems quite reasonable in comparison to other=
 NTP
implementations:

https://www.cvedetails.com/vulnerability-list/vendor_id-10533/product_id-18=
821/Tuxfamily-Chrony.html


I will add a few parties to the loop to make sure all opinions are heard and
will keep this bug open for at least a month to make sure people have a cha=
nce
to respond.

--=20
You are receiving this mail because:
You are the assignee for the bug.=