From owner-freebsd-security@freebsd.org Wed Aug 10 13:34:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3ECABB4165 for ; Wed, 10 Aug 2016 13:34:10 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 79E001D6D for ; Wed, 10 Aug 2016 13:34:10 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x22c.google.com with SMTP id f65so91256497wmi.0 for ; Wed, 10 Aug 2016 06:34:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=zVdyCG25xvCVf+R2W20Edt48DDg9CRhayfvr+q5xDJg=; b=qDQuRbEWBVBYqV9q7ET7ZLO8Jp7DqXzDESI5rdDJk3G4LLvsZhOx1wjTWNyA2D5I8l ubQDimM0bOrlwZ06zQf7diJvyWa0UdiQJr2fvXxOeUNwH3a6bkwmABAoDinhthDujKOA bT3WR2NFIe3S3BEdHoC3ApWfdNGs3/KlDNKvHcaHUMuqy1pKTN82R1jGhvWOKqeb08Rr nVFcQGK7fKtI5/K4GqBL7CtZLQOzE8hYX7BqpdkwwjZJAsf7hwD+G+RpMsUpny1+/qKh GuY9RBB5Xu+CjrUDTDWN7ccsxx28kPph5wXwVPX4zmhaq66oou+s4EQ5Psnw1DDKfF/Q h5/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zVdyCG25xvCVf+R2W20Edt48DDg9CRhayfvr+q5xDJg=; b=hjOh+CVKV7W+qekAq4TxbesYvxuk4OlNySi5UHeQQDGK2zGMUZ8O/WNnLwjATOe0my S7F1jsL8d9yDqZVXoS5ymhLq4dI7fIKnH6/KkYSP5Q1uM87qgDYfKHvAkwtB9HHTm874 7WtXyZkmmbR+HlITpVJcItMdmytSFXw8vmALJPejqFTSD5PKgFzn4dWDvz30HudZPAuv 8AkeYdrQi/pep4zHgEw2r+PRorvXZf+ASywnQjO7/7F1GCTwVMtS4Ju38Ave7SZyKwXx 7nG3aKIrjaX/9iBHaG++wWZ1BlGrMcyK55fbMberBI+5ajMenrIh8IJ0mqHv4GulQIvT aBNA== X-Gm-Message-State: AEkoouvvxGK7gneWkfOu5XoksTqJXmtotiFWHavDlkJaoOB1Gr07y6OvYSqKZXqFbovjqw== X-Received: by 10.28.24.5 with SMTP id 5mr3468258wmy.6.1470836048093; Wed, 10 Aug 2016 06:34:08 -0700 (PDT) Received: from gumby.homeunix.com ([81.171.97.84]) by smtp.gmail.com with ESMTPSA id a184sm4961273wmh.1.2016.08.10.06.34.05 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Aug 2016 06:34:07 -0700 (PDT) Date: Wed, 10 Aug 2016 14:34:03 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: freebsd-update and portsnap users still at risk of compromise Message-ID: <20160810143403.5c3d8875@gumby.homeunix.com> In-Reply-To: <6bd80e384e443e5de73fb951e973b221@vfemail.net> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.2) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2016 13:34:10 -0000 On Fri, 29 Jul 2016 03:49:39 +0000 Martin Schroeder wrote: > I've been analyzing the document extensively since then. The targets > are as follows: > > [1] portsnap via portsnap vulnerabilities > [2] portsnap via libarchive & tar anti-sandboxing vulnerabilities > [3] portsnap via bspatch vulnerabilities I only had a quick look so I might have missed something - am I right in thinking that all the portsnap attacks rely on an attacker substituting the initial tarball? If so then then fixing this doesn't really effect existing users in the short term. Either you're already compromised, or your snapshot will remain secure until you manually delete it.