Date: Sun, 15 Jun 2014 07:12:21 -0500 From: Dave Duchscher <daved@nostrum.com> To: freebsd-stable@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:03.pkg Message-ID: <D4810186-8CB0-450B-8C32-6E180DB6E7A8@nostrum.com> In-Reply-To: <201405140000.s4E002sO029919@freefall.freebsd.org> References: <201405140000.s4E002sO029919@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I have had a few surprises with FreeBSD over the years and with the new = ports system has provided quite a few of them but this update takes the = cake. We have our own package repository with custom options. We liked = and adopted pkgng early. We also have a lot of automation. With this = update, all of a sudden, we have a new repository configured on our = system (/etc/FreeBSD.conf). Lets say, I was very surprised. It is true = that mistakes happen. Maybe its ours for not fully understand what was = being done. In any event, this definitely caused lots of issues for us = and has wasted a lot of my time. Dave On May 13, 2014, at 7:00 PM, FreeBSD Errata Notices = <errata-notices@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-EN-14:03.pkg Errata = Notice > The FreeBSD = Project >=20 > Topic: pkg bootstrapping, configuration and public keys >=20 > Category: core, packages > Module: pkg > Announced: 2014-05-13 > Credits: Baptiste Daroussin, Bryan Drewery > Affects: All versions of FreeBSD prior to 10.0-RELEASE > Corrected: 2014-04-15 23:40:47 UTC (stable/8, 8.4-STABLE) > 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10) > 2014-03-11 14:48:44 UTC (stable/9, 9.2-STABLE) > 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) > 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) >=20 > For general information regarding FreeBSD Errata Notices and Security > Advisories, including descriptions of the fields above, security > branches, and the following sections, please visit > <URL:http://security.freebsd.org/>. >=20 > I. Background >=20 > The pkg(7) utility is the new package management tool for FreeBSD. = The > FreeBSD project has provided official pkg(7) packages since October = 2013 > and signed packages since the pkg-1.2 release in November 2013. The > signature checking requires known public keys to be installed locally. > The repository configuration must be installed as well. >=20 > The base system also includes a pkg(7) bootstrap tool that installs = the > latest real pkg(7) package. The bootstrap tool knows where to find = the > official pkg(7) package but once that is installed the real pkg(7) = will > not know where to find official packages, nor have the known public = key > for signature checking. >=20 > The bootstrap tool was also improved in 10.0-RELEASE to check the > signature on the pkg(7) package it is installing. >=20 > II. Problem Description >=20 > Only FreeBSD 10.0 has been released with the official repository > configuration, known public keys, and a bootstrap tool that checks the > signature of the pkg(7) package it is installing. >=20 > To allow packages to be used on a system, the configuration must be > manually setup and keys securely fetched and installed to the proper > location. >=20 > III. Impact >=20 > Releases before 10.0 require manual configuration. Manually = configuring the > pkg(7) signatures could result in insecurely installing the keys or = leaving > the signature checking disabled. >=20 > The bootstrap tool is not secure on releases prior to 10.0 due to not = checking > the signature and could result in having an unofficial pkg(7) = installed due to > MITM attacks. >=20 > IV. Workaround >=20 > To securely install pkg(7) on releases prior to 10.0, install it from = ports > obtained from a secure portsnap checkout: >=20 > # portsnap fetch extract > # echo "WITH_PKGNG=3Dyes" >> /etc/make.conf > # make -C /usr/ports/ports-mgmt/pkg install clean >=20 > If this is an existing system it may be converted to pkg(7) as well by = running: >=20 > # pkg2ng >=20 > After this is done /usr/ports may be removed if no longer required. >=20 > To workaround the configuration and keys being missed, apply the = solution in > this Errata. >=20 > V. Solution >=20 > No solution is provided for pkg(7) bootstrap signature checking on = releases prior > to 10.0. Upgrading to 10.0 or stable/9 after r263038 will suffice. >=20 > To install the configuration and public key in a secure means, perform = one of > the following: >=20 > 1) Upgrade your system to a supported FreeBSD stable or release / = security > branch (releng) dated after the correction date. >=20 > 2) To update your present system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [FreeBSD 9.2] > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.2.patch > # fetch = http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.2.patch.asc > # gpg --verify pkg-en-releng-9.2.patch.asc >=20 > [FreeBSD 9.1] > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.1.patch > # fetch = http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.1.patch.asc > # gpg --verify pkg-en-releng-9.1.patch.asc >=20 > [FreeBSD 8.4] > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch > # fetch = http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch.asc > # gpg --verify pkg-en-releng-8.4.patch.asc >=20 > b) Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/etc/pkg > # mkdir -p /etc/pkg /usr/share/keys/pkg/trusted = /usr/share/keys/pkg/revoked > # make install > # cd /usr/src/share/keys/pkg > # make install >=20 > 3) To update your system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > VI. Correction details >=20 > The following list contains the revision numbers of each file that was > corrected in FreeBSD. >=20 > Branch/path = Revision > - = ------------------------------------------------------------------------- > stable/8/ = r264519 > releng/8.4/ = r265989 > stable/9/ = r263937 (*) > releng/9.1/ = r265988 > releng/9.2/ = r265988 > - = ------------------------------------------------------------------------- >=20 > (*) The actual required changeset consists a series of changes, = including > r263023,r258550,r263050,r263053 and r263937. >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > <URL:http://svnweb.freebsd.org/base?view=3Drevision&revision=3DNNNNNN> >=20 > VII. References >=20 > The latest revision of this Errata Notice is available at > http://security.FreeBSD.org/advisories/FreeBSD-EN-14:03.pkg.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (FreeBSD) >=20 > iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnPgsP/i1EV9g4qXg9v6HvakiFFKrv > 51810uJe/Eo9iujDT1TpwuYJuFQPzkW+h4JRvapaSLAMxeLsYqxj8WDuKz0eU6sW > WjaPv6LZWUG91jHbFr3uEAgLLvkc86kMI/hfSmzq5FY7gsisEKoyfdraR2E63jtp > BFARxAq9hnddck5zZiX7wCOMtvCVrvrSsozft1p885AUra+Tg9F1RuUloS0CYddD > FtUb1dPMshkHlqHqC1wGzRfBVFgX7NnXfnxIi2St1ft0tEDKIL+HQgnjU2CwKbK7 > S9ioLYbbUhyo6edpS/4+y5gJ1kVLvlelY4myBHUkSOMJrsxoIBCTuXjdnO9PL5gr > qpS9R6TQEMF5auEG5aIOwfu5t8wqczAfC4zVzbm4UPakRYPFS0NfvkDGW2Gno7Yh > iOur/JFLUOqbV9i8UwssS8OzG0cr8EzbZ3iLkVPqt1Cxuxxpx8+NYiYV3F0PMxB8 > iImoOD1BY0lS3x0gqgeZb5ssBk988aVq1cmbrUuriHuKLK/uvSaFHlGXprQyQmTn > 4FEFmMNTCSMbYy3J2daEajUroiZVcBEjORPFR8QYtncRgbzB6u/AjVIo+3Uk/0hj > paC8dvBikmT7ity3b7YoOvJIJn62XVqrq9srkYowkDuLJ1E8zQqmR2eZUOmf5vG1 > u3zAXa3xup1ginA9Wi6O > =3DUI84 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to = "freebsd-announce-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D4810186-8CB0-450B-8C32-6E180DB6E7A8>