From owner-freebsd-security@freebsd.org Tue Apr 6 14:56:24 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 414EC5D438A for ; Tue, 6 Apr 2021 14:56:24 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FF9Zw11Ztz3JpB for ; Tue, 6 Apr 2021 14:56:23 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pg1-x52e.google.com with SMTP id p12so6535612pgj.10 for ; Tue, 06 Apr 2021 07:56:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=z55sbsppjcoIdpBXG0F12Lhun6Sqe0BprTPdDfM99Uk=; b=lXjsT85FFMy6niF0uvhbYZKvwe2A2pXeVijowz1SZZLOcu/FPXOS3WXwUcI5dv8sMw beKAbXaKz9AzJApPeFb9uiKOVDA9CT5aORkmZuooAxKxwwztyxIPbp/XXjtq1ZrNMRYB 6xIlZndVkFfsu70He855IRjb79AicMwv88ywoAEAIpfudtFAgyXDESdqHdT5dA7OHR37 DLxfWguDPSMcfjeA6qQ1I0cbNb6XnigYmZrm1iVMQ/ZGa2+2Ab7fOks3A3eAsBytaPRw VRz9tW3hKT8KIGNdF6C2Y13nSm3CDogpQdPi+IqHk6oXS8HxaUSIJRH+PoFFHfE3tSkl 7QgQ== X-Gm-Message-State: AOAM530aTy4DHd0/w+AWqVLLQKcGfh6HuB0+kTLQCtd7h/0k72APu1R1 Pyqk7vXYzk1Iirjej/uuKeY/ X-Google-Smtp-Source: ABdhPJzB2Wi6e5fziD1sueLJQdgZKpYYlaAadw6K2TyItYQnvvN2bR919H/xegkESfdIJlXWhoI2+A== X-Received: by 2002:a63:1a47:: with SMTP id a7mr27350119pgm.437.1617720982496; Tue, 06 Apr 2021 07:56:22 -0700 (PDT) Received: from 2603-8001-5e40-d300-1575-8f2c-6280-e746.res6.spectrum.com (2603-8001-5e40-d300-1575-8f2c-6280-e746.res6.spectrum.com. [2603:8001:5e40:d300:1575:8f2c:6280:e746]) by smtp.gmail.com with ESMTPSA id z23sm18809243pgn.88.2021.04.06.07.56.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Apr 2021 07:56:21 -0700 (PDT) From: Gordon Tetlow Message-Id: <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> Content-Type: multipart/signed; boundary="Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Date: Tue, 6 Apr 2021 07:56:19 -0700 In-Reply-To: <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> Cc: Miroslav Lachman <000.fbsd@quip.cz>, Stefan Blachmann , FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org To: Shawn Webb References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FF9Zw11Ztz3JpB X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 14:56:24 -0000 --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Apr 6, 2021, at 7:42 AM, Shawn Webb = wrote: >=20 > On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >> On 06/04/2021 16:27, Shawn Webb wrote: >>=20 >>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>> report with the BSDStats project, not FreeBSD. >>> 2. You install a package that is made to submit statistical data. >>> 3. You're upset that it submits statistical data? >>=20 >> The problem here is that it collects and sends data right at the = install >> time. It is really unexpected to run installed package without user = consent. >> If you install Apache, MySQL or any other package the command / = daemon is no >> run by "pkg install" command. >> This must be avoided. >=20 > It's probably easier to submit a patch than it is to write a > lolwut-type email. All you gotta do is rm the post-install script. > Also `pkg install` has the -I option. But whatever, let the lolwut > mentality prevail! I had a conversation on the side with the requestor. In short, there is = already a patch to address this issue in = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 = . Not sure = why it hasn't been committed yet, but hopefully it gets picked up = shortly. Gordon --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmBsdpMACgkQ5fe8y6O9 3fh8Bwf6AzhluVmpBSM0xzMj92SJFPjKoJGUbQZr26W+yQiosUg4798OexCZ6wse iFrEykkeK6QbkfHqrRojxzmQGQR0au903RA/U5UpYlatMqWYpoeijHc419/dnmXw 33IXcgJb4wBrSonQ7lhGlidD35wDzqHjESqfsgIkwTjUxGItbeUy9Yzh9F9W8OoR DLWWdlJdIEGBChjr4P35+RgLSU8ylJrQwjdRkldfHHm2mn8P1fyqnmmRfX7xsWyD fusBofOIDERAeqbuYiu1yCB0BjmG2lUUWIZ517Ou2Gr7HRD7DbPa/W2vRanc2N5I J2xg3Wy39Xdg7lxruPjhl8R9XqIP9A== =0UGI -----END PGP SIGNATURE----- --Apple-Mail=_B8EA6F4D-87F4-4FEE-99FF-EB10D71A304A--