Date: Thu, 8 Apr 2021 08:45:16 -0500 From: Kyle Evans <kevans@freebsd.org> To: Chris BeHanna <chris@behanna.org> Cc: Stefan Blachmann <sblachmann@gmail.com>, Gordon Tetlow <gordon@tetlows.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, Colin Percival <cperciva@freebsd.org> Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <CACNAnaGywzZ33ReEjEJTR0EdYy8MhZVpE1nMzTbgAj=HrAF%2BNQ@mail.gmail.com> In-Reply-To: <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 8, 2021 at 8:35 AM Chris BeHanna <chris@behanna.org> wrote: > > On Apr 7, 2021, at 8:50 PM, Stefan Blachmann <sblachmann@gmail.com> wrote= : > > > > The answers I got from both "Security Officers" surprised me so much > > that I had to let that settle a bit to understand the implications. > > > > Looking at the FreeBSD Porters' Handbook > > [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-in= stall.html], > > it describes the purpose of the package pre- and postinstallation > > scripts as to "set up the package so that it is as ready to use as > > possible". > > > > It explicitly names only a few actions that are forbidden for them to > > do: "...must not be abused to start services, stop services, or run > > any other commands that will modify the currently running system." > > > > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > > Spying out the machine and its configuration, sending that data to an > > external entity =E2=80=93 perfectly OK. Not a problem at all. > > > > This has been proved by the handling of this last BSDstats security > > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abus= ed to run > > spyware without the users=E2=80=99 pre-knowledge and without his conten= t. > > > > This abuse is apparently being considered acceptable by both FreeBSD > > and HardenedBSD security officers. > > Instead of taking action, you "security officers" tell the FreeBSD > > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > > This is an incredibly dishonest summary of their responses to you= . Gordon in particular wrote that it is NOT acceptable; however, rather th= an smash down the port's maintainer with the Security Officer sledgehammer,= he preferred to give the maintainer some time to address the problem. > +1. Both of these reactions are way out of proportion, and Gordon's response was 100% the right thing to do. By his own admission he responded and looped in the port maintainer to the additional context, which is how it should be handled. If so@ smacked everyone that intentionally or unintentionally (as the case is here, clearly) did something that secteam's attention was raised to, then we would end up with a security officer that nobody on the project is willing to work with and their job becomes that much more difficult. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaGywzZ33ReEjEJTR0EdYy8MhZVpE1nMzTbgAj=HrAF%2BNQ>