From owner-freebsd-security@freebsd.org  Tue Apr  6 01:11:34 2021
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A37695CCAD4
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue,  6 Apr 2021 01:11:34 +0000 (UTC)
 (envelope-from sblachmann@gmail.com)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com
 [IPv6:2a00:1450:4864:20::135])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FDqH96Hvhz4XTY;
 Tue,  6 Apr 2021 01:11:33 +0000 (UTC)
 (envelope-from sblachmann@gmail.com)
Received: by mail-lf1-x135.google.com with SMTP id 12so19954587lfq.13;
 Mon, 05 Apr 2021 18:11:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=wJdtbya0eA/aM0rupswysvG4prEKSh9CP5PAzurLChM=;
 b=IVrjGJ2LufQxhfMzg564rMZT86mgBk9ra6m4kiaY7AhL9eKV2fP/ggzgAGfXQL4VtD
 Jt478B3cvf8BRfeoTMF3muxHil65AogC3jltgm0Ni1xYUD059vFMixw9k1qKrrLyvrO9
 CshKUOma/81kkjoDO0RmJsnPZAEQw3WMRMwhP0ycVXsKz0eFwIcCow6cg1s05iVYI9c/
 rGLEHzCSIIem1ekJPO7tHOrAhhKh6hM4lKtDBK2L/LboyGhRd4eiyCVeOYYjAXnWKsIe
 n8CK5zY1ouMep5XXFfOFqefvEZMo5lc0kl1exh4bJoZLToF8vzldbQVPuWmKRohI5ZW/
 Su+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=wJdtbya0eA/aM0rupswysvG4prEKSh9CP5PAzurLChM=;
 b=ROoEVOvUoVTyySOIux80J3YvbtcpWydaHIs+IWmmNjsYmKWhW9UvcYZN8mn5bsmMXg
 BXsJQ5x8PN9BQoS2GvynLKH4QoljPHbSs3vmCDrOVTlYrkTk/TsXIOCb8HIH6/swtMJI
 yaTck1FADLdwzC6Zr7pVD+wTiYdsB2v11SX8Fm07uo8Fx/DzaY/2K/05LNIIw9qC/QaP
 H70T81Rp+3TPk+H8nnXTKzxvNQtzU/Cxl57zjlHFCBFc4g9+y2xHM6gRM9zFjHXto6XS
 EPjUgT6PmP2m6rC96iizJe6tMdZt7agiSVk9nYexsVMlojkVjUNuCg1CKSUZF86IlFjs
 PmZg==
X-Gm-Message-State: AOAM5319zbO5UNwQiko4o6aE0dCywR9m/7yQ95Q/rFl5ADVW5qM5lCf9
 FFE5YFeg1RAnHpZ1z1/jXHp+TGEPM0KRu77Oj0y2+uuG
X-Google-Smtp-Source: ABdhPJxBa6eYjPf5ZsAPy3qtbqx2tITsBHMlYplvfupLZ9d/HSMUxeaTf1yPwIgmZKqL0xRtNvG81PAUS9kSDPFdaIQ=
X-Received: by 2002:ac2:5e26:: with SMTP id o6mr19681735lfg.355.1617671492422; 
 Mon, 05 Apr 2021 18:11:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:8199:0:0:0:0:0 with HTTP;
 Mon, 5 Apr 2021 18:11:31 -0700 (PDT)
From: Stefan Blachmann <sblachmann@gmail.com>
Date: Tue, 6 Apr 2021 03:11:31 +0200
Message-ID: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com>
Subject: Security leak: Public disclosure of user data without their consent
 by installing software via pkg
To: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, 
 cperciva@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 4FDqH96Hvhz4XTY
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=IVrjGJ2L;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of sblachmann@gmail.com designates
 2a00:1450:4864:20::135 as permitted sender)
 smtp.mailfrom=sblachmann@gmail.com
X-Spamd-Result: default: False [-2.35 / 15.00]; ARC_NA(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::135:from];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025];
 RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c];
 FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::135:from:127.0.2.255];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 NEURAL_SPAM_SHORT(0.65)[0.654]; DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::135:from];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security];
 DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-Mailman-Approved-At: Tue, 06 Apr 2021 08:51:39 +0000
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 01:11:34 -0000

Hello,

I had a very distressing experience today.
I installed a package to view its scripts (and *not* to run them!).

I was shocked when pkg told me that my system configuration, including
which packages and their versions are installed on my system, has been
sent to an external entity, without asking for my content.

This is a security leak as well as a breach of EU data protection
rules, but above all, it is a breach of trust of the unsuspecting
FreeBSD users.

Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152
And read my experience in this and the following forum posts:
https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430

If this does not get fixed in short time, I will contact ArsTechnica,
TheRegister and some other reputed IT news outlets, to create public
pressure to get the issue resolved.

So please get this fixed and report back.

Sincerely,
Stefan Blachmann