From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 19:52:49 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3A8C16F9; Thu, 10 Apr 2014 19:52:49 +0000 (UTC) Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 812051C74; Thu, 10 Apr 2014 19:52:48 +0000 (UTC) Received: by mail-wi0-f181.google.com with SMTP id hm4so5609092wib.2 for ; Thu, 10 Apr 2014 12:52:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=4r1UqVqZsLVUDL7/xY8t2Jnj6CzvveNipuKJ96mvmq8=; b=yXbuEozr5SWlzGR/rv+TZDuKr+pSQ/z1hmYpCWoHmWQ+KM4311r82XG6NnNW3i1T4Q vymmSHEE2N+K2H2cuwxPlGt/xwYdlzB8EV3ptq6EuOxkRkpBJ129+bjyA7Pjr+/Fp6Wm udsyfFGcYblK8XlW1d2XOxWu+AlIkw7pN042+JilFEdaV83KoAm9jiBGJTz4dmRVkPmk WRuNJ38weHl9SYIT8XUB1CxF/z21DGHnwPQyqun6zWS5/EvBnI9ug1oPRAStkjWgtZvb fZpAIVGPMNJW5gg195VEQd1a4K+bll6OwLw7th3aHzP5R5ZmvwrwUN3cvqP8jZgms2Tm 2few== MIME-Version: 1.0 X-Received: by 10.194.71.164 with SMTP id w4mr16961376wju.0.1397159566709; Thu, 10 Apr 2014 12:52:46 -0700 (PDT) Received: by 10.217.55.138 with HTTP; Thu, 10 Apr 2014 12:52:46 -0700 (PDT) In-Reply-To: <20140410183330.GB31394@lor.one-eyed-alien.net> References: <20140410183330.GB31394@lor.one-eyed-alien.net> Date: Thu, 10 Apr 2014 14:52:46 -0500 Message-ID: Subject: Re: MITM attacks against portsnap and freebsd-update From: David Noel To: Brooks Davis Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, Colin Percival X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: David.I.Noel@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 19:52:49 -0000 > I'm not convinced that a rototil of the protocol and all the associated > storage duplication is worth the effort. As far as portsnap is concerned I'm not convinced that ANY amount of effort is worth it. That is why I was hoping to start a conversation on the possibility of phasing it out. > It's better in my mind to commit one of the patches to sandbox gzip > with Capsicum... Portsnap also passes un-verified files to tar, so that would need to be patched too. > ...which will protect from everything except filling the > disk by denying gunzip the ability to do anything but write to the file > opened by the script. That will protect all gzip users. I agree that what you're proposing is probably the simplest solution, but I'm not convinced that it would guarantee system security. Nothing against Robert Watson, but sandboxes are always being broken out of. There's a history of vulnerabilities in the jail subsystem, isn't it likely that someone some day will find a bug in Capsicum? As unlikely as it seems that someone would be able to pull off a MITM attack, posses a tar or gzip 0day, and also posses a Capsicum 0day, there is -- like Murphy's law -- that old saying* "Any bug that can be exploited will be." *I definitely just made that up, but I do firmly believe it to be true. > What do you mean by a freeze attack? I'm not familiar with this term > and I didn't find this post, the PRs, or a quick Google search > illuminating. Sorry. A freeze attack is similar to a replay attack. In a replay attack an attacker would feed the system an older, exploitable version of the software being updated so that they could break in. A freeze attack is when an attacker feeds the system the same version of the software being updated so that critical updates are not installed. While portsnap and freebsd-update do check to ensure that what's being updated is no older than what's currently on the system they do not check to ensure that what's being updated is not the same version as what's currently installed. -David