core-secretary at freebsd.org
2016-Aug-10 11:58 UTC
[FreeBSD-Announce] FreeBSD Core statement on recent freebsd-update and related vulnerabilities
Dear FreeBSD Community:
The FreeBSD Core team and FreeBSD Security team would like to update the
community on the reports of security vulnerabilities in freebsd-update,
portsnap, libarchive, and bspatch.
We understand the severity of this issue, and are actively working to resolve
the issues and improve the security of FreeBSD.
A recent post[1] to the freebsd-security@ list raised a number of questions[2]
and we would like to address those.
1. Since there are known vulnerabilities in freebsd-update and
portsnap, why has there been no notification to the community
from secteam@?
As a general rule, the FreeBSD Security Officer does not announce
vulnerabilities for which there is no released patch. We are
reviewing this policy for cases where a proof-of-concept or working
exploit is already public.
2. Why was there no mention of the fact that running freebsd-update
to install the fix for the bspatch advisory [SA-16:25] may actually
expose users to the vulnerability?
To be exposed, a user would need to be under an active
Man-In-The-Middle attack when fetching patches. The Security
Advisory did not contain information on the theoretical implications
of the vulnerability. A more explicit paragraph in the 'Impact'
statement may have been warranted. As always, instructions on how to
compile the patched bspatch manually rather than using
freebsd-update were provided as part of the advisory.
3. The patch included in SA-16:25 is incomplete, and may still
permit heap corruption. The patch included in the document dump
is more complete. Why only a partial fix?
After discussion with the author of bspatch (Colin Percival, a
former FreeBSD Security Officer himself), The FreeBSD Security Team
found that the proposed patch added restrictions that may break
(legitimate) functionality in bspatch, possibly preventing some
valid patch files from being accepted. While a full fix is being
developed, the shorter patch which resolves the main vulnerability
was immediately released. This resolves the most critical issue in
the report. This smaller patch is safe, in that it does not risk
breaking bspatch while still resolving the attack vector of the
provided exploit code. The larger patch is still under development
and will be released once all of the issues have been
addressed. Automated fuzz testing is underway to search for any
additional memory corruption bugs.
Great care must be taken when updating the binary upgrade utility, as it
becomes much more difficult to fix after the fact, as the updater is then
broken. There are delicate interactions between the components that must be
thoroughly tested before the patch is released.
As of yet, patches for the libarchive vulnerabilities have not been released
upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created
patches for some of the libarchive vulnerabilities, the first[3] is being
considered for inclusion in FreeBSD, at least until a complete fix is
committed upstream, however the second[4] is considered too brute-force and
will not be committed as-is. Once the patches are in FreeBSD and updated
binaries are available, a Security Advisory will be issued.
The Security team is working on redesigning freebsd-update and portsnap to do
signature verification on all downloaded files before they are processed by
libarchive/tar, bspatch, or any other utilities. However, this change requires
modifying the metadata format used in the utilities, and care must be taken to
preserve compatibility with the existing clients, so the existing clients can
be used to install the future updates. Users will of course have the option to
build/apply the patches themselves if they do not feel comfortable using
freebsd-update to do so.
The security team is working diligently to resolve the issues and provide
timely, correct fixes for all known issues. Please subscribe to the
freebsd-security-notifications@ mailing-list to receive notifications of any
future Security Advisories.
[1]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html
[2]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009019.html
[3]https://github.com/HardenedBSD/hardenedBSD/commit/acc5eaecbe4970cfb96d9549fe7dc8ceb4676557
[4]https://github.com/HardenedBSD/hardenedBSD/commit/6a6ac73ae630927b2dd996df3cd85c8c612c459c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-announce/attachments/20160810/69d8a1d1/attachment.sig>