Shawn Webb
2021-Apr-06 14:42 UTC
Security leak: Public disclosure of user data without their consent by installing software via pkg
On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote:> On 06/04/2021 16:27, Shawn Webb wrote: > > > 1. BSDStats isn't run/maintained by the FreeBSD project. File the > > report with the BSDStats project, not FreeBSD. > > 2. You install a package that is made to submit statistical data. > > 3. You're upset that it submits statistical data? > > The problem here is that it collects and sends data right at the install > time. It is really unexpected to run installed package without user consent. > If you install Apache, MySQL or any other package the command / daemon is no > run by "pkg install" command. > This must be avoided.It's probably easier to submit a patch than it is to write a lolwut-type email. All you gotta do is rm the post-install script. Also `pkg install` has the -I option. But whatever, let the lolwut mentality prevail! -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210406/851f268b/attachment.sig>
Gordon Tetlow
2021-Apr-06 14:56 UTC
Security leak: Public disclosure of user data without their consent by installing software via pkg
On Apr 6, 2021, at 7:42 AM, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:> > On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >> On 06/04/2021 16:27, Shawn Webb wrote: >> >>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>> report with the BSDStats project, not FreeBSD. >>> 2. You install a package that is made to submit statistical data. >>> 3. You're upset that it submits statistical data? >> >> The problem here is that it collects and sends data right at the install >> time. It is really unexpected to run installed package without user consent. >> If you install Apache, MySQL or any other package the command / daemon is no >> run by "pkg install" command. >> This must be avoided. > > It's probably easier to submit a patch than it is to write a > lolwut-type email. All you gotta do is rm the post-install script. > Also `pkg install` has the -I option. But whatever, let the lolwut > mentality prevail!I had a conversation on the side with the requestor. In short, there is already a patch to address this issue in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152>. Not sure why it hasn't been committed yet, but hopefully it gets picked up shortly. Gordon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: Message signed with OpenPGP URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210406/5262719c/attachment.sig>