Security leak: Public disclosure of user data without their consent by installing software via pkg

Kyle Evans kevans at freebsd.org
Thu Apr 8 13:45:30 UTC 2021 

On Thu, Apr 8, 2021 at 8:35 AM Chris BeHanna <chris at behanna.org> wrote:
>
> On Apr 7, 2021, at 8:50 PM, Stefan Blachmann <sblachmann at gmail.com> wrote:
> >
> > The answers I got from both "Security Officers" surprised me so much
> > that I had to let that settle a bit to understand the implications.
> >
> > Looking at the FreeBSD Porters' Handbook
> > [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install.html],
> > it describes the purpose of the package pre- and postinstallation
> > scripts as to "set up the package so that it is as ready to use as
> > possible".
> >
> > It explicitly names only a few actions that are forbidden for them to
> > do: "...must not be abused to start services, stop services, or run
> > any other commands that will modify the currently running system."
> >
> > Anything else is apparently deemed “allowed”.
> > Spying out the machine and its configuration, sending that data to an
> > external entity – perfectly OK. Not a problem at all.
> >
> > This has been proved by the handling of this last BSDstats security
> > incident, where the FreeBSD “pkg” utility is being abused to run
> > spyware without the users’ pre-knowledge and without his content.
> >
> > This abuse is apparently being considered acceptable by both FreeBSD
> > and HardenedBSD security officers.
> > Instead of taking action, you "security officers" tell the FreeBSD
> > users that it is their own guilt that they got “pwnd”.
>
>         This is an incredibly dishonest summary of their responses to you.  Gordon in particular wrote that it is NOT acceptable; however, rather than smash down the port's maintainer with the Security Officer sledgehammer, he preferred to give the maintainer some time to address the problem.
>

+1. Both of these reactions are way out of proportion, and Gordon's
response was 100% the right thing to do. By his own admission he
responded and looped in the port maintainer to the additional context,
which is how it should be handled. If so@ smacked everyone that
intentionally or unintentionally (as the case is here, clearly) did
something that secteam's attention was raised to, then we would end up
with a security officer that nobody on the project is willing to work
with and their job becomes that much more difficult.

Thanks,

Kyle Evans

More information about the freebsd-security mailing list