From owner-freebsd-security@freebsd.org Thu Apr 8 13:35:42 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C3AFA5DCA27 for ; Thu, 8 Apr 2021 13:35:42 +0000 (UTC) (envelope-from chris@behanna.org) Received: from www562.pair.com (www562.pair.com [216.92.107.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGMht49f8z3Fr6; Thu, 8 Apr 2021 13:35:42 +0000 (UTC) (envelope-from chris@behanna.org) Received: from www562.pair.com (localhost [127.0.0.1]) by www562.pair.com (Postfix) with ESMTP id 8A61565A67D; Thu, 8 Apr 2021 09:35:36 -0400 (EDT) Received: from aerie.behanna.org (hs-164-67.tul.tularosa.net [66.18.164.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by www562.pair.com (Postfix) with ESMTPSA id 91592646C1A; Thu, 8 Apr 2021 09:35:35 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\)) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg From: Chris BeHanna In-Reply-To: Date: Thu, 8 Apr 2021 07:35:33 -0600 Cc: Gordon Tetlow , Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> To: Stefan Blachmann X-Mailer: Apple Mail (2.3445.104.17) X-Rspamd-Queue-Id: 4FGMht49f8z3Fr6 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 13:35:42 -0000 On Apr 7, 2021, at 8:50 PM, Stefan Blachmann = wrote: >=20 > The answers I got from both "Security Officers" surprised me so much > that I had to let that settle a bit to understand the implications. >=20 > Looking at the FreeBSD Porters' Handbook > = [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-insta= ll.html], > it describes the purpose of the package pre- and postinstallation > scripts as to "set up the package so that it is as ready to use as > possible". >=20 > It explicitly names only a few actions that are forbidden for them to > do: "...must not be abused to start services, stop services, or run > any other commands that will modify the currently running system." >=20 > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > Spying out the machine and its configuration, sending that data to an > external entity =E2=80=93 perfectly OK. Not a problem at all. >=20 > This has been proved by the handling of this last BSDstats security > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being = abused to run > spyware without the users=E2=80=99 pre-knowledge and without his = content. >=20 > This abuse is apparently being considered acceptable by both FreeBSD > and HardenedBSD security officers. > Instead of taking action, you "security officers" tell the FreeBSD > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. This is an incredibly dishonest summary of their responses to = you. Gordon in particular wrote that it is NOT acceptable; however, = rather than smash down the port's maintainer with the Security Officer = sledgehammer, he preferred to give the maintainer some time to address = the problem. --=20 Chris BeHanna chris@behanna.org