freebsd-update and portsnap users still at risk of compromise

Shawn Webb shawn.webb at hardenedbsd.org
Wed Aug 10 11:41:18 UTC 2016 

On Wed, Aug 10, 2016 at 09:50:37AM +0100, Big Lebowski wrote:
> On Tue, Aug 9, 2016 at 9:21 PM, Matthew Donovan <kitche at kitchetech.com>
> wrote:
> 
> > You mean operating system as distribution is a Linux term. There's not much
> > different between HARDENEDBSD and FreeBSD besides that HardenedBSD fixes
> > vulnerabilities and has a an excellent ASLR system compared to the proposed
> > one for FreeBSD.
> >
> 
> And what are your sources on which you're formulating this statement? What
> is the HBSD authors security, or even general coding, track record? How
> well are they known for their code, whitepapers, implementations? I'd say,
> not at all. You can have the example of their 'ASLR' code quality in the
> FreeBSD reviews system, where known and respected coders point out very
> basic and critical code mistakes, where well known and respected system
> designers point out flaws in their lack of design, so on and so forth. The
> only thing that's excellent about them is how they spread this opinion
> about their code to other people, including you ;)
> 
> I'd much rather take my bet with kib's implementation knowing who he is and
> how long and how well he does what he does (that is, quality code for
> FreeBSD) than untested, un-designed, self-procclaimed code from relatively
> young, inexperienced and unknown person, that's not willing to take advices
> on fixing their code, when given so.
> 
> With all due respect :)

Hey there,

ASLR shouldn't be part of the discussion revolving the freebsd-update,
portsnap, libarchive, and bspatch vulnerabilities. ASLR won't even help
with these vulnerabilities in particular as they are logic
vulnerabilities. ASLR helps make more difficult the successful
exploitation of buffer overflows, format string vulnerabilities, etc.

In HardenedBSD, we've fixed the two libarchive vulnerabilities that
FreeBSD is vulnerable to. But the fixes are only band-aids until FreeBSD
publishes their fixes, which they are planning on to do before
11.0-RELEASE goes out the door.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160810/cc19375f/attachment.sig>

More information about the freebsd-security mailing list