Date: Wed, 10 Aug 2016 12:58:13 +0100 From: core-secretary@freebsd.org To: freebsd-announce@freebsd.org Subject: [FreeBSD-Announce] FreeBSD Core statement on recent freebsd-update and related vulnerabilities Message-ID: <20160810115813.GA86720@smtp.infracaninophile.co.uk>
next in thread | raw e-mail | index | archive | help
--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Dear FreeBSD Community:
The FreeBSD Core team and FreeBSD Security team would like to update the
community on the reports of security vulnerabilities in freebsd-update,
portsnap, libarchive, and bspatch.
We understand the severity of this issue, and are actively working to resolve
the issues and improve the security of FreeBSD.
A recent post[1] to the freebsd-security@ list raised a number of questions[2]
and we would like to address those.
1. Since there are known vulnerabilities in freebsd-update and
portsnap, why has there been no notification to the community
from secteam@?
As a general rule, the FreeBSD Security Officer does not announce
vulnerabilities for which there is no released patch. We are
reviewing this policy for cases where a proof-of-concept or working
exploit is already public.
2. Why was there no mention of the fact that running freebsd-update
to install the fix for the bspatch advisory [SA-16:25] may actually
expose users to the vulnerability?
To be exposed, a user would need to be under an active
Man-In-The-Middle attack when fetching patches. The Security
Advisory did not contain information on the theoretical implications
of the vulnerability. A more explicit paragraph in the 'Impact'
statement may have been warranted. As always, instructions on how to
compile the patched bspatch manually rather than using
freebsd-update were provided as part of the advisory.
3. The patch included in SA-16:25 is incomplete, and may still
permit heap corruption. The patch included in the document dump
is more complete. Why only a partial fix?
After discussion with the author of bspatch (Colin Percival, a
former FreeBSD Security Officer himself), The FreeBSD Security Team
found that the proposed patch added restrictions that may break
(legitimate) functionality in bspatch, possibly preventing some
valid patch files from being accepted. While a full fix is being
developed, the shorter patch which resolves the main vulnerability
was immediately released. This resolves the most critical issue in
the report. This smaller patch is safe, in that it does not risk
breaking bspatch while still resolving the attack vector of the
provided exploit code. The larger patch is still under development
and will be released once all of the issues have been
addressed. Automated fuzz testing is underway to search for any
additional memory corruption bugs.
Great care must be taken when updating the binary upgrade utility, as it
becomes much more difficult to fix after the fact, as the updater is then
broken. There are delicate interactions between the components that must be
thoroughly tested before the patch is released.
As of yet, patches for the libarchive vulnerabilities have not been released
upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created
patches for some of the libarchive vulnerabilities, the first[3] is being
considered for inclusion in FreeBSD, at least until a complete fix is
committed upstream, however the second[4] is considered too brute-force and
will not be committed as-is. Once the patches are in FreeBSD and updated
binaries are available, a Security Advisory will be issued.
The Security team is working on redesigning freebsd-update and portsnap to do
signature verification on all downloaded files before they are processed by
libarchive/tar, bspatch, or any other utilities. However, this change requires
modifying the metadata format used in the utilities, and care must be taken to
preserve compatibility with the existing clients, so the existing clients can
be used to install the future updates. Users will of course have the option to
build/apply the patches themselves if they do not feel comfortable using
freebsd-update to do so.
The security team is working diligently to resolve the issues and provide
timely, correct fixes for all known issues. Please subscribe to the
freebsd-security-notifications@ mailing-list to receive notifications of any
future Security Advisories.
[1]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html
[2]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009019.html
[3]https://github.com/HardenedBSD/hardenedBSD/commit/acc5eaecbe4970cfb96d9549fe7dc8ceb4676557
[4]https://github.com/HardenedBSD/hardenedBSD/commit/6a6ac73ae630927b2dd996df3cd85c8c612c459c
--wac7ysb48OaltWcw
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJXqxbVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMDdCRjVFMzEwQUU2NEJGNjEyMEIwRjYz
NkE3QzA1RkUxRUNGOUJCAAoJEDanwF/h7Pm7TGkP/1U4BoTyKZtz9dykKYkYztYV
f5tCz+s6ie77TAeDHtQG2ChWYa22DHh7yNGYt7cMptQwm3lOc1UA0xellmQx8Hl+
vpvLGGfzOdKAaXgBufs7PffW+wxWIAa4gCT9Ot2r6QKCP93hMa1JRMXKsJsn9UxJ
cTa2w/W3j/TG+LEVS/2T1iFPFggDyMQO1yjA8C7ISjDyDcGnMTNOPSibwyB4eyao
VnBeynD6FNLyNzWkY6g5nSfZzfBDzdtOlk0QNZut0N8OmGQ1TUwrFf1MM+ipMpuR
YjDNcoxfKcfzvhElsQsBLePoShf6ioEi068gfOSupAC1TUCCPOU6OoA/tvgVGqy2
FfeZlaLwhpGjKLZ341qUwA6tgwchJGVPpB2yzTacQMZU1mQE8Eo+1qc4D+yEGkIS
tfFQvpJQ47jM9UiAlTxLsfZ3ZIPM2hvVyJu1YlVKivpB2DQOutw4nnDXz5PZkidR
mIcUPRRdOzQomk9Vo3mpl+Fzxb8YH0iMR6J1WECcPSpMhS9njqsvWyXr9MlHvxmQ
hYo1MadG3ZsVF4eNNbxUEcDtCAgkoq/E99gHE18TImPmxoq3mnp9+A/hw1rvTDU9
G0e6G4fzYh8s7FrV5yZSk8oAw/Qgw3bK9hsv001QEEVJyoSDQuKhfLKhdcvNY+ei
ApNtFgx61ItjvHXalO8C
=FlnN
-----END PGP SIGNATURE-----
--wac7ysb48OaltWcw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160810115813.GA86720>