Andre Rekovic
2013-Jan-28 08:07 UTC
Is portsnap secure or isn't it? (2012 compromise and general reflections)
Hi, I've been trying to make sense of the details on the 2012 compromise given here: http://www.freebsd.org/news/2012-compromise.html To be honest, I find that page very disappointing and wish it had the clarity of a FreeBSD security advisory. With the advisories, there's never been a time I've read the background, problem description, and impact sections and then thought "huh?" I've always understood the threats. Not so with the above page, which is a tangle of details. I use only freebsd-update(8) and portsnap(8) for updates. I don't use packages; I compile from ports. I last used portsnap in August, which is outside the critical time window mentioned (Sep 19 - Nov 11). Presumably this means I'm OK for the incident in question, but I really have no idea based on my reading of the page. Now for the tangle of details: "If you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012, you have no reason to worry." This suggests that ports aren't affected. Someone could read the above, think "nope, I don't pkg_add packages (precompiled binaries)," and bail on the whole page. The ensuing paragraphs, especially with the mention of pkg_add, reinforce this suggestion. But obviously "packages" is used in a loose sense to include ports, because... "We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors." It's my understanding that any ports trees created/updated via portsnap *between 19th September 2012 and 11th November 2012* may be affected but that ports trees created/updated via portsnap a little outside of that time window should be fine. Is this right? I can't be completely sure from the above quote. "We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted. Please note that as a precaution, newer portsnap(8) snapshots are currently not being generated." That mentions only the most recently available portsnap snapshot (at the time). Presumably there are suspect snapshots (perhaps those distributed within the critical window). "If you use portsnap(8), you should portsnap fetch && portsnap extract to the most recent snapshot. The most recent portsnap(8) snapshot has been verified to exactly match the audited Subversion repository. Please note that as a precaution, portsnap(8) updates have been suspended temporarily. Again allowing the user to infer that some snapshots are suspect. And that leads to my main query: If there are suspect snapshots, how can that be? How did portsnap security fail? Port compilation is supposed to be cryptographically secure. The distinfo files in the ports tree contain SHA256 hashes. In theory, this means you know you're getting the version of the source code the port maintainer has OK'd. The portsnap snapshot is supposed to be cryptographically secure. Assuming you don't play with the -f and -k switches, its cryptographic security hinges on the KEYPRINT in /etc/portsnap.conf. The KEYPRINT in /etc/portsnap.conf wasn't changed after the compromise, so I'm assuming there was no loss of confidence in the associated RSA public key. I can think of only two explanations for suspect snapshots: 1. An attacker pushing out earlier snapshots signed with the same key. The portsnap shell script appears to defend against this for update fetches (using the timestamp in the tag file) but allows initial fetches to grab a snapshot up to a year old. Really, if this is the only fear, I'm sure many users would rather not wipe their disks and perform a complete reinstall. 2. A deeply troubling approach to how snapshots are (or were) getting signed with the private key (picture a push-button automated signing or a manual signing accompanied by a complete lack of vigilant checking). This approach would completely undermine user confidence in portsnap. OK, fine: 3. I'm missing something ridiculously obvious and won't show my face in public for a few months. Please, could someone clear this up for us users.
John Baldwin
2013-Jan-28 19:09 UTC
Is portsnap secure or isn't it? (2012 compromise and general reflections)
On Monday, January 28, 2013 3:07:31 am Andre Rekovic wrote:> "We unfortunately cannot guarantee the integrity of any packages > available for installation between 19th September 2012 and 11th > November 2012, > or of any ports compiled from trees obtained via any means other > than through svn.freebsd.org or one of its mirrors." > > It's my understanding that any ports trees created/updated via > portsnap *between 19th September 2012 and 11th November 2012* may be > affected but that ports trees created/updated via portsnap a little > outside of that time window should be fine. Is this right? I can't be > completely sure from the above quote.Your assumption is correct. The root issue here is that there are two repositories that hold the ports tree, SVN and CVS. The CVS repository is updated by a script that replays each SVN commit into the CVS repository allowing downstream users of CVS via cvsup or other means to continue using the ports tree after it was switched from CVS to SVN. The issue in this case is that while the SVN repository is known to be completely fine, the CVS repository is not and is considered suspect> "We have also verified that the most recently-available > portsnap(8) snapshot matches the ports Subversion repository, and so > can be fully > trusted. Please note that as a precaution, newer portsnap(8) > snapshots are currently not being generated."The meaning of this is that we have verified that after the end date (11th November 2012), we know that the ports CVS and SVN trees are fully in sync. We also know that they are in sync going forward. However, during that window, CVS is suspect. The important point here for portsnap is that portsnap snapshots are generated from the CVS repository.> That mentions only the most recently available portsnap snapshot (at > the time). Presumably there are suspect snapshots (perhaps those > distributed within the critical window).Correct, any snapshot generated while the CVS tree was suspect is suspect. The problem here is that portsnap's trusted source was suspect. :(> I can think of only two explanations for suspect snapshots: > > 2. A deeply troubling approach to how snapshots are (or were) getting > signed with the private key (picture a push-button automated signing > or a manual signing accompanied by a complete lack of vigilant > checking). This approach would completely undermine user confidence in > portsnap.I think it is closer to the latter with the implicit assumption that the CVS repository could be trusted. I do think it is going to switch to pulling from SVN (if it hasn't already), but you still have the issue of knowing how you can trust the repository being used for snapshots. -- John Baldwin