From owner-freebsd-security@FreeBSD.ORG Sun Nov 18 18:17:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3CF49284 for ; Sun, 18 Nov 2012 18:17:17 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1]) by mx1.freebsd.org (Postfix) with ESMTP id 01F358FC08 for ; Sun, 18 Nov 2012 18:17:17 +0000 (UTC) Received: from gjp by noop.in-addr.com with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Ta9Qd-000Mbk-G8; Sun, 18 Nov 2012 13:17:11 -0500 Date: Sun, 18 Nov 2012 13:17:11 -0500 From: Gary Palmer To: Chris Rees Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <20121118181711.GG24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Nov 2012 18:17:17 -0000 On Sat, Nov 17, 2012 at 03:14:00PM +0000, Chris Rees wrote: > On 17 Nov 2012 15:06, "Gary Palmer" wrote: > > > > Hi, > > > > Can someone explain why the cvsup/csup infrastructure is considered > insecure > > if the person had access to the *package* building cluster? Is it because > > the leaked key also had access to something in the chain that goes to > cvsup, > > or is it because the project is not auditing the cvsup system and so the > > default assumption is that it cannot be trusted to not be compromised? > > > > If it is the latter, someone from the community could check rather than > > encourage everyone who has been using csup/cvsup to wipe and reinstall > > their boxes. Unfortunately the wipe option is not possible for me right > > now and my backups do go back to before the 19th of September > > Checks are being made, but CVS makes it slow work. > > It's incredibly unlikely that there will be a problem, but the Project has > to be cautious in recommendations. Thanks Chris for the update. May I politely suggest that the web page as I read it yesterday was more along the lines of "assume your machine is rooted, reinstall it". The reality is the message should have been "we cannot prove cvs/cvsup was not affected yet, but we are continuing to investigate. If you want to be really sure you weren't affected, reinstall from known clean media. Else wait for further updates". While I understand some people, especially the more security minded people, want to deprecate all access that isn't signed and secured, its no reason to cause people unnecessary work/panic. Plus signing is only as good as the security of the systems doing the builds and signing the content. Its just been proven that they may not be as secure as expected. Regards, Gary