From owner-freebsd-security@freebsd.org Wed Aug 10 11:41:18 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6C0FBB4E36 for ; Wed, 10 Aug 2016 11:41:18 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7918B1968 for ; Wed, 10 Aug 2016 11:41:18 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt0-x22f.google.com with SMTP id x25so19216907qtx.2 for ; Wed, 10 Aug 2016 04:41:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=MmLOkCO/bGM5kxsSevO9a5qUEK1duUiinmARra2Gh0I=; b=zXAoJS7TLKv1DDfCsjl+PJ3WopvR8qxcY78N1K4rEm6VhyI+CvzSwflt6/A/K77UA0 9rZUSchCuRaM1fm4lTq4mjvaJsMu7WNkvpIitvnlZdNZVIMWhT8LRvZHYdBMxS92OgwZ FDQsA8OLv2R/O4Ae2gK9bUcC3eUqC6gV2sN8muwa6sTj07jArhlHo3Z79Jaedr40/sJ1 nZYtuQ6CDvU4hcSE+uA/JvxWje5DXznpSxZtSXGJc4JTJr34JJ8MD2T7j5Kfs0T6bYDX yTorxgUce3RDqKk6+HtqKdOSWAFz1FRARIAAwrS62Z7ljf/rgpXIIb6apR4o0kYuSAR+ lYjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=MmLOkCO/bGM5kxsSevO9a5qUEK1duUiinmARra2Gh0I=; b=CdL7LC6SXUPgqo1G0hHCabwyLOtsBd0sV9P3KGgRzM3Dv1NbjnG4OmY04J3JWqDyYY gMJK4XnfgQFlq1NttmW3tGjbTABl9SMGfur/FaiPMhVyJNZFBF0VsLpaKA+yLvas0b08 2RvebN2sBSBr47QAOf/J4RQOhppOulAXIpHHzbk3DBop2eep9mBgMSG3n3TBIM1tTwxx I2rWlAnGFMku+NX8GqlCtXM72re4cvT41aZxpTmRN5prPl6/SgzV1SixE/h9WVFaqw6t 6EfPU/F7OC9+XWynAE0nNyOrPqsWsDjaQnCIcuQwCKCn96ltkP6UOwUpWNb5TwjqmL+M 1Oew== X-Gm-Message-State: AEkooutmIVgNCYxxZbEatlXCbZi2rA0pzZRs+nZJs54P7OE83R/KbmIUYtPX/JboNYhsTqW6 X-Received: by 10.200.33.183 with SMTP id 52mr3753685qty.128.1470829277520; Wed, 10 Aug 2016 04:41:17 -0700 (PDT) Received: from mutt-hardenedbsd (pool-100-16-219-226.bltmmd.fios.verizon.net. [100.16.219.226]) by smtp.gmail.com with ESMTPSA id v24sm12304313qkv.3.2016.08.10.04.41.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Aug 2016 04:41:15 -0700 (PDT) Date: Wed, 10 Aug 2016 07:41:13 -0400 From: Shawn Webb To: Big Lebowski Cc: Matthew Donovan , freebsd-security , Roger Marquis , freebsd-ports , Martin Schroeder Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <20160810114113.GG81651@mutt-hardenedbsd> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <8d52c11892db36d5041f7fa638e46681@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="kadn00tgSopKmJ1H" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hardenedbsd 12.0-CURRENT-HBSD FreeBSD 12.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 11:41:18 -0000 --kadn00tgSopKmJ1H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 10, 2016 at 09:50:37AM +0100, Big Lebowski wrote: > On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan > wrote: >=20 > > You mean operating system as distribution is a Linux term. There's not = much > > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes > > vulnerabilities and has a an excellent ASLR system compared to the prop= osed > > one for FreeBSD. > > >=20 > And what are your sources on which you're formulating this statement? What > is the HBSD authors security, or even general coding, track record? How > well are they known for their code, whitepapers, implementations? I'd say, > not at all. You can have the example of their 'ASLR' code quality in the > FreeBSD reviews system, where known and respected coders point out very > basic and critical code mistakes, where well known and respected system > designers point out flaws in their lack of design, so on and so forth. The > only thing that's excellent about them is how they spread this opinion > about their code to other people, including you ;) >=20 > I'd much rather take my bet with kib's implementation knowing who he is a= nd > how long and how well he does what he does (that is, quality code for > FreeBSD) than untested, un-designed, self-procclaimed code from relatively > young, inexperienced and unknown person, that's not willing to take advic= es > on fixing their code, when given so. >=20 > With all due respect :) Hey there, ASLR shouldn't be part of the discussion revolving the freebsd-update, portsnap, libarchive, and bspatch vulnerabilities. ASLR won't even help with these vulnerabilities in particular as they are logic vulnerabilities. ASLR helps make more difficult the successful exploitation of buffer overflows, format string vulnerabilities, etc. In HardenedBSD, we've fixed the two libarchive vulnerabilities that FreeBSD is vulnerable to. But the fixes are only band-aids until FreeBSD publishes their fixes, which they are planning on to do before 11.0-RELEASE goes out the door. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --kadn00tgSopKmJ1H Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXqxLXAAoJEGqEZY9SRW7uM14P/jYceCgnCYrSfFaGIhpzT7S8 Aopx5VvnpZlMCIHz+SvoPqsZAIzDhEm4Ia/q1Q0fGZcHHYo6dqArDFF34wLE2KBG 0NK1pvrv0P6RGrPlTACTDYHAdlBbQ1aLJfTQgbplnw6MT0JIU3ev/vVRFdutEmOW eX8G5O06KCZg1plR6JWMTOgMQCFhM/OxRVS3IPwcbvFACG/GVb6z8DbGsMWQANFC ykV5jBjRo8YmWY5Fz/AWJlHV1++H/ZNY+I9n8tae8ik+kDeQxND7Yv7s1hXsKtKx HfOoCNCI9LsBu8zl6QMXsRWsNyIXOmQFbPTxr2sBN0sCynTNXk5G+DZneoAUeLpw I3jvQ7mORe7y8husMw4h+E0aXcXeo/qFbVu6Y/Qh3HKy6My2IRXj0YzxzKbPgKH7 l8+tDBGx+FAj37lTgkjryHGiTEA0yRDVL7GdDCI67v4aV/OtevLbEuTsNvBEZrq+ 0c07OM4Qhh1qp+f3OB0AP4ELcGrb2swWZTCfpYQkJaHiitJqLCqjeluOgi9BGNmt vWoktIO2Ik5TYgkYDZ5fqed89XBWr5tPBxtvG0Lhz/L5sCAtQbvcLqnVvLLuI3zr nHxxVtJYjDxQIBCZBd9pu3FivyHD46eUoq+IjjIQzkkEI27RBj6XBUApCHW6CksJ +2ysFfP9OK0wn3GPuJ4X =pI8f -----END PGP SIGNATURE----- --kadn00tgSopKmJ1H--