Stefan Blachmann
2021-Apr-06 01:11 UTC
Security leak: Public disclosure of user data without their consent by installing software via pkg
Hello, I had a very distressing experience today. I installed a package to view its scripts (and *not* to run them!). I was shocked when pkg told me that my system configuration, including which packages and their versions are installed on my system, has been sent to an external entity, without asking for my content. This is a security leak as well as a breach of EU data protection rules, but above all, it is a breach of trust of the unsuspecting FreeBSD users. Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 And read my experience in this and the following forum posts: https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430 If this does not get fixed in short time, I will contact ArsTechnica, TheRegister and some other reputed IT news outlets, to create public pressure to get the issue resolved. So please get this fixed and report back. Sincerely, Stefan Blachmann
Shawn Webb
2021-Apr-06 14:27 UTC
Security leak: Public disclosure of user data without their consent by installing software via pkg
On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote:> Hello, > > I had a very distressing experience today. > I installed a package to view its scripts (and *not* to run them!). > > I was shocked when pkg told me that my system configuration, including > which packages and their versions are installed on my system, has been > sent to an external entity, without asking for my content. > > This is a security leak as well as a breach of EU data protection > rules, but above all, it is a breach of trust of the unsuspecting > FreeBSD users. > > Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 > And read my experience in this and the following forum posts: > https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430 > > If this does not get fixed in short time, I will contact ArsTechnica, > TheRegister and some other reputed IT news outlets, to create public > pressure to get the issue resolved. > > So please get this fixed and report back.1. BSDStats isn't run/maintained by the FreeBSD project. File the report with the BSDStats project, not FreeBSD. 2. You install a package that is made to submit statistical data. 3. You're upset that it submits statistical data? lolwut, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210406/f23103b8/attachment.sig>
Dewayne Geraghty
2021-Apr-08 04:39 UTC
Security leak: Public disclosure of user data without their consent by installing software via pkg
The prevailing paradigm is that a package install requires an affirming action in rc.conf. Neither of "man pkg-add" nor "pkg-install" explicitly states that an installed package will do other than perform installation and updating steps. At best, it is implied that installation scripts are run by the existence of -I which prevents installation scripts from running in both (pkg add, pkg install), but this is to *perform* an installation. It must be noted that the porter's handbook states unambiguously that "Important: This script [Ed: during pkg add, pkg install] is here to help you set up the package so that it is as ready to use as possible. It must not be abused to start services, stop services, or run any other commands that will modify the currently running system." Ref: https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install.html I'd suggest that the man pages be updated and to explicitly align with the porter's handbook. As installation does not imply consent to execute. Stefan, I've been involved in quite a few privacy breaches (from a server perspectives) so I appreciate the elevated level of concern. I'd suggest that you review https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434 as the GDPR relates to natural persons and data pertaining to them. The transmission of data pertaining to applications and their version, may be a security risk, but it isn't a breach against a natural person's privacy. However as a data controller you may have an obligation IF you have installed bsdstats onto individual workstations/PCs. As I suspect that this falls under the personal data related to an individual, hence subject to data protection rules. To avoid unnecessary disclosure as I see no reason to share information to hacking entities, I'm sharing my /etc/periodic.conf monthly_statistics_enable="YES" monthly_statistics_report_devices="YES" monthly_statistics_report_ports="NO" Kind regards, Dewayne