From owner-freebsd-security@freebsd.org Thu Apr 8 13:45:30 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C1695DCBD3 for ; Thu, 8 Apr 2021 13:45:30 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FGMw95q9Rz3Gfb; Thu, 8 Apr 2021 13:45:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id AAC13389A; Thu, 8 Apr 2021 13:45:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f176.google.com with SMTP id g15so2180796qkl.4; Thu, 08 Apr 2021 06:45:29 -0700 (PDT) X-Gm-Message-State: AOAM5337aykU/N1eE9CIDvHBpjb28RS61760EWqunwYOnRuDP+l3saVS Lknz7PoPjqFXiW7MfYePdulh/7ai7EVD4JtGtIU= X-Google-Smtp-Source: ABdhPJxZCtW+wu/HF7eHYme3PPg6B+gJR/F0U+dlkpjrG5hEw3v4VLteWQxDtSIIMFiIdxo6zx+tSEsrAYhC/AV0M0g= X-Received: by 2002:a37:6758:: with SMTP id b85mr935192qkc.430.1617889529217; Thu, 08 Apr 2021 06:45:29 -0700 (PDT) MIME-Version: 1.0 References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> In-Reply-To: <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> From: Kyle Evans Date: Thu, 8 Apr 2021 08:45:16 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Chris BeHanna Cc: Stefan Blachmann , Gordon Tetlow , Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, Colin Percival Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 13:45:30 -0000 On Thu, Apr 8, 2021 at 8:35 AM Chris BeHanna wrote: > > On Apr 7, 2021, at 8:50 PM, Stefan Blachmann wrote= : > > > > The answers I got from both "Security Officers" surprised me so much > > that I had to let that settle a bit to understand the implications. > > > > Looking at the FreeBSD Porters' Handbook > > [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-in= stall.html], > > it describes the purpose of the package pre- and postinstallation > > scripts as to "set up the package so that it is as ready to use as > > possible". > > > > It explicitly names only a few actions that are forbidden for them to > > do: "...must not be abused to start services, stop services, or run > > any other commands that will modify the currently running system." > > > > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > > Spying out the machine and its configuration, sending that data to an > > external entity =E2=80=93 perfectly OK. Not a problem at all. > > > > This has been proved by the handling of this last BSDstats security > > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abus= ed to run > > spyware without the users=E2=80=99 pre-knowledge and without his conten= t. > > > > This abuse is apparently being considered acceptable by both FreeBSD > > and HardenedBSD security officers. > > Instead of taking action, you "security officers" tell the FreeBSD > > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > > This is an incredibly dishonest summary of their responses to you= . Gordon in particular wrote that it is NOT acceptable; however, rather th= an smash down the port's maintainer with the Security Officer sledgehammer,= he preferred to give the maintainer some time to address the problem. > +1. Both of these reactions are way out of proportion, and Gordon's response was 100% the right thing to do. By his own admission he responded and looped in the port maintainer to the additional context, which is how it should be handled. If so@ smacked everyone that intentionally or unintentionally (as the case is here, clearly) did something that secteam's attention was raised to, then we would end up with a security officer that nobody on the project is willing to work with and their job becomes that much more difficult. Thanks, Kyle Evans