From owner-freebsd-security@freebsd.org Tue Apr 6 14:42:28 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BCD9D5D39AB for ; Tue, 6 Apr 2021 14:42:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF9Gr4dpsz3HXv for ; Tue, 6 Apr 2021 14:42:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt1-x831.google.com with SMTP id f12so11312829qtq.4 for ; Tue, 06 Apr 2021 07:42:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=pQZqTF5q1ehuHX5OVWNTajrQi9zFnKTgjg0DO9ClHd0=; b=YkYcZBfiUWIYVLXRvVc2oFjZU7BRPZIbJnlsUsy1tvP34P6pxEQ1hIOV3ZejnQTKq7 zW9cciRWBK8JXygD3sOIARG8rgVnozjpTTV8i3jzxdJmmZ1vKTaCCMA3Z/TuWkQFP8Sa 6UhRdCAfZ/ypxecvuurCI7C6gWZguytczDjSu2T03ncDgeqP/ZPadx8qG7p1d07YZVUf DipS3YfV0fmQB1atD+bN3Mv/LdecqAAPxSJGf6uQgvN3qLzEh2ddU64igmMlJeOcgYen QJAOatqoP7UxEAOu7QfnpJxf7Wbq64O0OG2Y+R/yzc5fLEMDFMjcsmi1HRB/dE5Enr7M lPrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=pQZqTF5q1ehuHX5OVWNTajrQi9zFnKTgjg0DO9ClHd0=; b=gR/YM1PEQO2ZHUaZW2wqmXTEwhpUORh2ZJ3cMSOHRyjQaL5DhAh5sfkfaemHbAuucX XmwFwULuaxViTZSd/KNUsWNTVKs6EwYjqD+cB9uoJJddcNziDjVx60fA4uZqZeTamIxV g/by95IktPWQcP5RNSuMcOG+a6+P+B/Bed1ZkFywF3Uh/7Bfx6NyVcn48FSYJSDdo8E+ ITRSSZ2IYi4eJsoJUnCt8elmMS574BQjhfQHLbUqOqHbiW4zwbb3vqvgNDbYcFHYMVe3 IQ0Av3iHHjovPg2rD3f/fhVIMqBqBCRamHSTuP4rVP0Pm3wSIk1eErkqgunVRRkasHbR IsUQ== X-Gm-Message-State: AOAM5314lXVh3a/pOxEs7hN1rqzmJXA8Vt61yo1WH46teAxSkESFneo5 fvqlHS8p3d/Bcz4pm0wfPvlRuQ== X-Google-Smtp-Source: ABdhPJxvGj0WgXisjEFlEZIc0D1pKS8RNmdCvZIm35WbecdDXgRWaypEqKOympeoBMrTS9FW/fM5+Q== X-Received: by 2002:a05:622a:250:: with SMTP id c16mr27170347qtx.7.1617720143769; Tue, 06 Apr 2021 07:42:23 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id a207sm16298762qkc.135.2021.04.06.07.42.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Apr 2021 07:42:23 -0700 (PDT) Date: Tue, 6 Apr 2021 10:42:22 -0400 From: Shawn Webb To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Stefan Blachmann , secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="kuc4mvvoitpyxpio" Content-Disposition: inline In-Reply-To: <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> X-Rspamd-Queue-Id: 4FF9Gr4dpsz3HXv X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 14:42:28 -0000 --kuc4mvvoitpyxpio Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: > On 06/04/2021 16:27, Shawn Webb wrote: >=20 > > 1. BSDStats isn't run/maintained by the FreeBSD project. File the > > report with the BSDStats project, not FreeBSD. > > 2. You install a package that is made to submit statistical data. > > 3. You're upset that it submits statistical data? >=20 > The problem here is that it collects and sends data right at the install > time. It is really unexpected to run installed package without user conse= nt. > If you install Apache, MySQL or any other package the command / daemon is= no > run by "pkg install" command. > This must be avoided. It's probably easier to submit a patch than it is to write a lolwut-type email. All you gotta do is rm the post-install script. Also `pkg install` has the -I option. But whatever, let the lolwut mentality prevail! --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --kuc4mvvoitpyxpio Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBsc0sACgkQ/y5nonf4 4fqf9A/+N3zIoFFvA93nviRicCK4h82oq/jB0HFEQDGdPscC0jpvZSwh/ekTragQ iwoItzV/yT8AbyE5xFGKBUelQKvn8VeNPCR6swuJVH+gqnYNlmtZQ5tYeVmrSVA/ BhuK+dYx11x1sQG19gUSp/abJHEh6kSNeGWx1QqKS+PHi75tqb7LdJ5J5Upy3CrV RWPgFePrjLHBw3JOQO1+Q7NXQETgYy0dU7qH1WflEVDieHTiwOdXC4CNy4MfoD1+ GO3tJi6XUuWi1X0U6vMqskwcp2kMNg1E5Mg4HTcgZKkUd3MVVuymbBmpNDeVaFD5 oyj163FeuEcYvL+ZgUfMD7JKmV1gM9+v/jY/fjIg048nbcgEab+B1BoXd6BYulDt bil7qIygSIolrnfWIXhTyXUJxPEXf0MKm+4DcpIQuUwYbh8V4mXfYTba2FfLUbLY bHG+ZYl5JEww6iOIs3HNrM6vSXOXPy2dLgf4kf03U4o8wI5FLl91Yfsn5KlStFTT v2YLboq+lVOGJ1FqVF0BRTBgv01PIVrxd2Jupi8hPbXOW9VydFS7uiDro0eBLUYI Dc/Z8SMfVd3qRmv1aYm5i/wt+P7NQJqedNeJjUZNYYe4iE0icns+qvqDHam0tV8A MSrgwWilyw4eVMdOMaKhD8W5uVCcudVA0PjeskuLqU7eQnIYHw8= =8vrO -----END PGP SIGNATURE----- --kuc4mvvoitpyxpio--