
Vulnerability Update: libarchive - utternerd
https://hardenedbsd.org/article/shawn-webb/2016-08-07/vulnerability-update-libarchive
======
2trill2spill
> Around three months ago, a post was published (mirror) on GitHub's Gist
> service. In the report, multiple vulnerabilities against portsnap, freebsd-
> update, bspatch, and libarchive were detailed. To this date, FreeBSD has
> been silent on official mailing lists.

Why didn't the poster file the bugs in the FreeBSD bug tracker and/or contact
the FreeBSD security team? Even posting to the mailing list would have been
better than posting on some random github page. I don't think you can fault
the FreeBSD people for not seeing some random post online.

~~~
SFJulie
Have you tried using some of the bug trackers in FOSS? Debian, python,
mozilla, freeBSD are both quite a pain to use and most of all, you lose track
of thee global picture. Especially when core devs have a tendency to either
let the bugs opened or close them for no reasons.

The unsane default of freeBSD are quite known. Having a list of them give the
picture.

I actually run FreeBSD to escape systemd insanity. _BSD communities are far
smaller than linux one, it is also a little bit «secretive» (compared to all
the docs and books) on how to build drivers.

Since the linux ecosystem is having all the «heavy weight» desktop
applications and that freeBSD has invested quite a lot in linux compatibility
I fear they lack resources to do everything.

But, remember that ubuntu is providing LTS distributions with an amazing
number of very used non patched packages.

The state of security in linux/windows/mac OSX/_BSD is a direct consequence of
the multiplication of bloatware package that are poorly maintained and
sometimes coded.

There will be a time for cleaning.

~~~
ashitlerferad
Submitting a Debian bug needs a single email with one required header line,
hardly a pain to use.

~~~
jlgaddis
FreeBSD uses Bugzilla, which is a bit more work than that, but certainly
nothing beyond the grasp of anyone on HN.

~~~
talideon
...and significantly easier than the old GNATS-based system that preceded it.

There have been active efforts within the project to make this sort of thing
much easier for newcomers than it used to be.

------
Titanous
If you're interested in securing software update systems, check out The Update
Framework. TUF is the only system I'm aware of that has a comprehensive threat
model for the problem of securely distributing software updates.

[https://theupdateframework.github.io](https://theupdateframework.github.io)

~~~
chriscappuccio
And it has a BSD license, too. Unfortunately it's written in Python. I don't
see Python becoming a requirement to update FreeBSD.

~~~
Titanous
There is also a BSD-licensed version that we wrote in Go:
[https://github.com/flynn/go-tuf](https://github.com/flynn/go-tuf)

~~~
mveety
But then you would have to ship and support a go compiler with base, which is
a similar problem but easier to overcome.

~~~
Titanous
Or ship compiled static binaries.

~~~
feld
This would be more feasible, but we'd still need Go in the src tree so users
can reproduce them.

------
rodgerd
> The libarchive vulnerabilities could allow a malicious third-party to
> distribute update archives that could place arbitrary files on the
> filesystem.

Why do people keep doing this crap every time they re-invent the packaging
wheel? And it's particularly awful from something purporting to be more secure
than vanilla FreeBSD (which generally purports to be "better engineered" than
Linux, where sane behaviour for distributing binaries is a long-solved
problem).

~~~
Jasper_
> (which generally purports to be "better engineered" than Linux, where sane
> behaviour for distributing binaries is a long-solved problem).

Assuming your "sane behavior" is referencing .deb and .rpm files, both of
those let you run arbitrary, attacker-provided shell scripts as root whenever
you install, upgrade, or even uninstall a package.

~~~
rodgerd
But have mechanisms to assure they aren't tampered with in-flight.

