Shawn Webb
2021-Apr-06 14:27 UTC
Security leak: Public disclosure of user data without their consent by installing software via pkg
On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote:> Hello, > > I had a very distressing experience today. > I installed a package to view its scripts (and *not* to run them!). > > I was shocked when pkg told me that my system configuration, including > which packages and their versions are installed on my system, has been > sent to an external entity, without asking for my content. > > This is a security leak as well as a breach of EU data protection > rules, but above all, it is a breach of trust of the unsuspecting > FreeBSD users. > > Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 > And read my experience in this and the following forum posts: > https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitants.79669/post-504430 > > If this does not get fixed in short time, I will contact ArsTechnica, > TheRegister and some other reputed IT news outlets, to create public > pressure to get the issue resolved. > > So please get this fixed and report back.1. BSDStats isn't run/maintained by the FreeBSD project. File the report with the BSDStats project, not FreeBSD. 2. You install a package that is made to submit statistical data. 3. You're upset that it submits statistical data? lolwut, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210406/f23103b8/attachment.sig>
Miroslav Lachman
2021-Apr-06 14:39 UTC
Security leak: Public disclosure of user data without their consent by installing software via pkg
On 06/04/2021 16:27, Shawn Webb wrote:> 1. BSDStats isn't run/maintained by the FreeBSD project. File the > report with the BSDStats project, not FreeBSD. > 2. You install a package that is made to submit statistical data. > 3. You're upset that it submits statistical data?The problem here is that it collects and sends data right at the install time. It is really unexpected to run installed package without user consent. If you install Apache, MySQL or any other package the command / daemon is no run by "pkg install" command. This must be avoided. Kind regards Miroslav Lachman