Date: Tue, 6 Apr 2021 07:56:19 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Miroslav Lachman <000.fbsd@quip.cz>, Stefan Blachmann <sblachmann@gmail.com>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> In-Reply-To: <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Apr 6, 2021, at 7:42 AM, Shawn Webb <shawn.webb@hardenedbsd.org> = wrote: >=20 > On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >> On 06/04/2021 16:27, Shawn Webb wrote: >>=20 >>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>> report with the BSDStats project, not FreeBSD. >>> 2. You install a package that is made to submit statistical data. >>> 3. You're upset that it submits statistical data? >>=20 >> The problem here is that it collects and sends data right at the = install >> time. It is really unexpected to run installed package without user = consent. >> If you install Apache, MySQL or any other package the command / = daemon is no >> run by "pkg install" command. >> This must be avoided. >=20 > It's probably easier to submit a patch than it is to write a > lolwut-type email. All you gotta do is rm the post-install script. > Also `pkg install` has the -I option. But whatever, let the lolwut > mentality prevail! I had a conversation on the side with the requestor. In short, there is = already a patch to address this issue in = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 = <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152>. Not sure = why it hasn't been committed yet, but hopefully it gets picked up = shortly. Gordon --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmBsdpMACgkQ5fe8y6O9 3fh8Bwf6AzhluVmpBSM0xzMj92SJFPjKoJGUbQZr26W+yQiosUg4798OexCZ6wse iFrEykkeK6QbkfHqrRojxzmQGQR0au903RA/U5UpYlatMqWYpoeijHc419/dnmXw 33IXcgJb4wBrSonQ7lhGlidD35wDzqHjESqfsgIkwTjUxGItbeUy9Yzh9F9W8OoR DLWWdlJdIEGBChjr4P35+RgLSU8ylJrQwjdRkldfHHm2mn8P1fyqnmmRfX7xsWyD fusBofOIDERAeqbuYiu1yCB0BjmG2lUUWIZ517Ou2Gr7HRD7DbPa/W2vRanc2N5I J2xg3Wy39Xdg7lxruPjhl8R9XqIP9A== =0UGI -----END PGP SIGNATURE----- --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?410E4486-F9CF-41C3-9396-BD307AF2325F>