Date: Mon, 28 Jan 2013 19:07:31 +1100 From: Andre Rekovic <andre.rekovic@gmail.com> To: freebsd-security@freebsd.org Subject: Is portsnap secure or isn't it? (2012 compromise and general reflections) Message-ID: <CA%2BvYve53J-K_1Z_F4CHtApdZSknbDeGgnbe7n7TrWhA0D2XyOg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi,
I've been trying to make sense of the details on the 2012 compromise given here:
http://www.freebsd.org/news/2012-compromise.html
To be honest, I find that page very disappointing and wish it had the
clarity of a FreeBSD security advisory. With the advisories, there's
never been a time I've read the background, problem description, and
impact sections and then thought "huh?" I've always understood the
threats. Not so with the above page, which is a tangle of details.
I use only freebsd-update(8) and portsnap(8) for updates. I don't use
packages; I compile from ports. I last used portsnap in August, which
is outside the critical time window mentioned (Sep 19 - Nov 11).
Presumably this means I'm OK for the incident in question, but I
really have no idea based on my reading of the page.
Now for the tangle of details:
"If you are running a system that has had no third-party packages
installed or updated on it between the 19th September and 11th
November 2012,
you have no reason to worry."
This suggests that ports aren't affected. Someone could read the
above, think "nope, I don't pkg_add packages (precompiled binaries),"
and bail on the whole page. The ensuing paragraphs, especially with
the mention of pkg_add, reinforce this suggestion. But obviously
"packages" is used in a loose sense to include ports, because...
"We unfortunately cannot guarantee the integrity of any packages
available for installation between 19th September 2012 and 11th
November 2012,
or of any ports compiled from trees obtained via any means other
than through svn.freebsd.org or one of its mirrors."
It's my understanding that any ports trees created/updated via
portsnap *between 19th September 2012 and 11th November 2012* may be
affected but that ports trees created/updated via portsnap a little
outside of that time window should be fine. Is this right? I can't be
completely sure from the above quote.
"We have also verified that the most recently-available
portsnap(8) snapshot matches the ports Subversion repository, and so
can be fully
trusted. Please note that as a precaution, newer portsnap(8)
snapshots are currently not being generated."
That mentions only the most recently available portsnap snapshot (at
the time). Presumably there are suspect snapshots (perhaps those
distributed within the critical window).
"If you use portsnap(8), you should portsnap fetch && portsnap
extract to the most recent snapshot. The most recent portsnap(8)
snapshot has been
verified to exactly match the audited Subversion repository.
Please note that as a precaution, portsnap(8) updates have been
suspended temporarily.
Again allowing the user to infer that some snapshots are suspect.
And that leads to my main query:
If there are suspect snapshots, how can that be? How did portsnap
security fail?
Port compilation is supposed to be cryptographically secure. The
distinfo files in the ports tree contain SHA256 hashes. In theory,
this means you know you're getting the version of the source code the
port maintainer has OK'd.
The portsnap snapshot is supposed to be cryptographically secure.
Assuming you don't play with the -f and -k switches, its cryptographic
security hinges on the KEYPRINT in /etc/portsnap.conf. The KEYPRINT in
/etc/portsnap.conf wasn't changed after the compromise, so I'm
assuming there was no loss of confidence in the associated RSA public
key.
I can think of only two explanations for suspect snapshots:
1. An attacker pushing out earlier snapshots signed with the same key.
The portsnap shell script appears to defend against this for update
fetches (using the timestamp in the tag file) but allows initial
fetches to grab a snapshot up to a year old. Really, if this is the
only fear, I'm sure many users would rather not wipe their disks and
perform a complete reinstall.
2. A deeply troubling approach to how snapshots are (or were) getting
signed with the private key (picture a push-button automated signing
or a manual signing accompanied by a complete lack of vigilant
checking). This approach would completely undermine user confidence in
portsnap.
OK, fine:
3. I'm missing something ridiculously obvious and won't show my face
in public for a few months.
Please, could someone clear this up for us users.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BvYve53J-K_1Z_F4CHtApdZSknbDeGgnbe7n7TrWhA0D2XyOg>