[FreeBSD-Announce] FreeBSD Core statement on recent freebsd-update and related vulnerabilities

Dear FreeBSD Community: The FreeBSD Core team and FreeBSD Security team would like to update the community on the reports of security vulnerabilities in freebsd-update, portsnap, libarchive, and bspatch. We understand the severity of this issue, and are actively working to resolve the issues and improve the security of FreeBSD. A recent post[1] to the freebsd-security@ list raised a number of questions[2] and we would like to address those. 1. Since there are known vulnerabilities in freebsd-update and portsnap, why has there been no notification to the community from secteam@? As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch. We are reviewing this policy for cases where a proof-of-concept or working exploit is already public. 2. Why was there no mention of the fact that running freebsd-update to install the fix for the bspatch advisory [SA-16:25] may actually expose users to the vulnerability? To be exposed, a user would need to be under an active Man-In-The-Middle attack when fetching patches. The Security Advisory did not contain information on the theoretical implications of the vulnerability. A more explicit paragraph in the 'Impact' statement may have been warranted. As always, instructions on how to compile the patched bspatch manually rather than using freebsd-update were provided as part of the advisory. 3. The patch included in SA-16:25 is incomplete, and may still permit heap corruption. The patch included in the document dump is more complete. Why only a partial fix? After discussion with the author of bspatch (Colin Percival, a former FreeBSD Security Officer himself), The FreeBSD Security Team found that the proposed patch added restrictions that may break (legitimate) functionality in bspatch, possibly preventing some valid patch files from being accepted. While a full fix is being developed, the shorter patch which resolves the main vulnerability was immediately released. This resolves the most critical issue in the report. This smaller patch is safe, in that it does not risk breaking bspatch while still resolving the attack vector of the provided exploit code. The larger patch is still under development and will be released once all of the issues have been addressed. Automated fuzz testing is underway to search for any additional memory corruption bugs. Great care must be taken when updating the binary upgrade utility, as it becomes much more difficult to fix after the fact, as the updater is then broken. There are delicate interactions between the components that must be thoroughly tested before the patch is released. As of yet, patches for the libarchive vulnerabilities have not been released upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created patches for some of the libarchive vulnerabilities, the first[3] is being considered for inclusion in FreeBSD, at least until a complete fix is committed upstream, however the second[4] is considered too brute-force and will not be committed as-is. Once the patches are in FreeBSD and updated binaries are available, a Security Advisory will be issued. The Security team is working on redesigning freebsd-update and portsnap to do signature verification on all downloaded files before they are processed by libarchive/tar, bspatch, or any other utilities. However, this change requires modifying the metadata format used in the utilities, and care must be taken to preserve compatibility with the existing clients, so the existing clients can be used to install the future updates. Users will of course have the option to build/apply the patches themselves if they do not feel comfortable using freebsd-update to do so. The security team is working diligently to resolve the issues and provide timely, correct fixes for all known issues. Please subscribe to the freebsd-security-notifications@ mailing-list to receive notifications of any future Security Advisories. [1]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html [2]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009019.html [3]https://github.com/HardenedBSD/hardenedBSD/commit/acc5eaecbe4970cfb96d9549fe7dc8ceb4676557 [4]https://github.com/HardenedBSD/hardenedBSD/commit/6a6ac73ae630927b2dd996df3cd85c8c612c459c -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-announce/attachments/20160810/69d8a1d1/attachment.sig>