From owner-freebsd-ports@freebsd.org Thu Aug 11 10:00:06 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28671BB5AB3; Thu, 11 Aug 2016 10:00:06 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from vm.unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id C1552117F; Thu, 11 Aug 2016 10:00:05 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from Vincents-MacBook-Pro-2.local (lon.namesco.net [195.7.254.102]) by vm.unsane.co.uk (Postfix) with ESMTPSA id 80808301C5; Thu, 11 Aug 2016 10:59:58 +0100 (BST) Subject: Re: freebsd-update and portsnap users still at risk of compromise To: Julian Elischer , Mail Lists , Matthew Donovan References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> <57aa38bc.c505420a.7a6a0.bda8SMTPIN_ADDED_MISSING@mx.google.com> <1470849104.192073030@f370.i.mail.ru> Cc: freebsd-security , Roger Marquis , freebsd-ports , Martin Schroeder From: Vincent Hoffman-Kazlauskas Message-ID: Date: Thu, 11 Aug 2016 10:59:57 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 10:00:06 -0000 For those not on freebsd-announce (or reddit or anywhere else it got posted) "FreeBSD Core statement on recent freebsd-update and related vulnerabilities" https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html Vince On 11/08/2016 05:22, Julian Elischer wrote: > On 11/08/2016 1:11 AM, Mail Lists via freebsd-security wrote: >> >> >> sorry but this is blabla and does not come even near to answering the >> real problem: >> >> It appears that freebsd and the US-government is more connected that >> some of us might like: >> >> Not publishing security issues concerning update mechanisms - we all >> can think WHY freebsd is not eager on this one. >> >> Just my thoughts... > > this has been in discussion a lot in private circles within FreeBSD. > It's not being ignored and a "correct" patch is being developed. > > from one email I will quote just a small part.. > ======= > > As of yet, [the] patches for the libarchive vulnerabilities have not > been released > upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has > created > patches for some of the libarchive vulnerabilities, the first[3] is being > considered for inclusion in FreeBSD, at least until a complete fix is > committed upstream, however the second[4] is considered too brute-force and > will not be committed as-is. Once the patches are in FreeBSD and updated > binaries are available, a Security Advisory will be issued. > > ======= > so expect something soon. > I will go on to say that the threat does need to come from an advanced > MITM actor, > though that does not make it a non threat.. > >> >> >>> Tuesday, August 9, 2016 8:21 PM UTC from Matthew Donovan >>> : >>> >>> You mean operating system as distribution is a Linux term. There's >>> not much >>> different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes >>> vulnerabilities and has a an excellent ASLR system compared to the >>> proposed >>> one for FreeBSD. >>> >>> On Aug 9, 2016 3:10 PM, "Roger Marquis" < marquis@roble.com > wrote: >>> >>>> Timely update via Hackernews: >>>> >>>> >>> y-update-libarchive> >>>> >>>> Note in particular: >>>> >>>> "FreeBSD is still vulnerable to the portsnap, freebsd-update, >>>> bspatch, >>>> and libarchive vulnerabilities." >>>> >>>> Not sure why the portsec team has not commented or published an >>>> advisory >>>> (possibly because the freebsd list spam filters are so bad that >>>> subscriptions are being blocked) but from where I sit it seems that >>>> those exposed should consider: >>>> >>>> cd /usr/ports >>>> svn{lite} co https://svn.FreeBSD.org/ports/head /usr/ports >>>> make index >>>> rm -rf /usr/sbin/portsnap /var/db/portsnap/* >>>> >>>> I'd also be interested in hearing from hardenedbsd users regarding the >>>> pros and cons of cutting over to that distribution. >>>> >>>> Roger >>>> >>>> >>>> >>>> On 2016-07-29 09:00, Julian Elischer wrote: >>>>>> not sure if you've been contacted privately, but I believe the >>>>>> answer is >>>>>> "we're working on it" >>>>>> >>>>> My concerns are as follows: >>>>> >>>>> 1. This is already out there, and FreeBSD users haven't been >>>>> alerted that >>>>> they should avoid running freebsd-update/portsnap until the >>>>> problems are >>>>> fixed. >>>>> >>>>> 2. There was no mention in the bspatch advisory that running >>>>> freebsd-update to "fix" bspatch would expose systems to MITM >>>>> attackers who >>>>> are apparently already in operation. >>>>> >>>>> 3. Strangely, the "fix" in the advisory is incomplete and still >>>>> permits >>>>> heap corruption, even though a more complete fix is available. That's >>>>> what prompted my post. If FreeBSD learned of the problem from the same >>>>> source document we all did, which seems likely given the coincidental >>>>> timing of an advisory for a little-known utility a week or two >>>>> after that >>>>> source document appeared, then surely FreeBSD had the complete fix >>>>> available. >>>>> >>>>> _______________________________________________ >>>> freebsd-ports@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>>> To unsubscribe, send any mail to " >>>> freebsd-ports-unsubscribe@freebsd.org " >>>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to " >>> freebsd-security-unsubscribe@freebsd.org " >> >> Best regards, >> Mail Lists >> mlists@mail.ru >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >