Post AOMJN0dpGoRYYNZe5I by ParadeGrotesque@mastodon.sdf.org
(DIR) More posts by ParadeGrotesque@mastodon.sdf.org
(DIR) Post #AOAWtsDcZXset8MAam by ParadeGrotesque@mastodon.sdf.org
2022-10-02T21:08:56Z
0 likes, 1 repeats
Suddenly, a wild #NetBSD security advisory appears!NetBSD-SA2022-002 Coredump credential reference count leakhttps://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2022-002.txt.ascFrom what I understand NetBSD 9.3 is not affected - can anyone confirm that? 🚩
(DIR) Post #AOAXeFBvUbndSQfubI by ParadeGrotesque@mastodon.sdf.org
2022-10-02T21:17:18Z
0 likes, 0 repeats
I am both impressed and scared by the fact this is only the 2nd #NetBSD security advisory of the year.And my understanding is, it's pretty trivial to work around.On the other hand, does that mean security is great, or that no one can be bothered to test it? 🤔
(DIR) Post #AOAYnq162viGEIkRVY by fedops@fosstodon.org
2022-10-02T21:30:14Z
0 likes, 0 repeats
@ParadeGrotesque fair question. That seems somewhat low.
(DIR) Post #AODMoX39QyR9id9ZfU by Haydar@social.tchncs.de
2022-10-04T06:00:01Z
0 likes, 0 repeats
@ParadeGrotesque https://www.csoonline.com/article/3250653/is-the-bsd-os-dying-some-security-researchers-think-so.html Quote: "NetBSD the "clear loser" in terms of code quality"
(DIR) Post #AODonUiZjV5uLIPuvQ by ParadeGrotesque@mastodon.sdf.org
2022-10-04T11:13:37Z
0 likes, 0 repeats
@Haydar The *actual* presentation is much more nuanced, and the researcher even said something very true: "The NetBSD team corrected all the bugs in something like 24 hours, which is insanely fast, and if you think you can do better, it proves you have no idea how to program an operating system".I paraphrase, but you get my drift.NetBSD is a lot more secure than people give it credit for. And it has people like m00nbsd working on its security.
(DIR) Post #AOE8piMvwqWyLId8yG by Haydar@social.tchncs.de
2022-10-04T14:58:06Z
0 likes, 0 repeats
@ParadeGrotesque Yes, they corrected the bugs. No, they didn't corrected them in the stable release:"On the other hand, those patches have yet to be shipped to users six months later. "Unless you run your own builds from recently checked-out code, your NetBSD machine is still vulnerable.""
(DIR) Post #AOGfE4yW9BBo6kNcSu by ParadeGrotesque@mastodon.sdf.org
2022-10-05T20:10:30Z
0 likes, 0 repeats
And suddenly, not one but TWO new #netbsd security advisories appear! 🚩 NetBSD-SA2022-004 procfs(5) missing permission checkshttps://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2022-004.txt.ascNetBSD-SA2022-003 Race condition in mail.local(8)https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2022-003.txt.asc
(DIR) Post #AOICRbpqmBLDQqLSd6 by netbsd@mastodon.sdf.org
2022-10-06T13:57:24Z
0 likes, 0 repeats
@ParadeGrotesque Back in the day, to to call something a security vulnerability, you needed a provable remote hole.It's technically possible that someone is using, for example, "make" to process untrusted input from the network. Maybe as root. And maybe with single exploit mitigation turned off.Of course that would be stupid.[... cont]
(DIR) Post #AOKqwdzHslkCtFIAkq by ParadeGrotesque@mastodon.sdf.org
2022-10-07T20:40:38Z
0 likes, 1 repeats
OK, here are things I like and don't like...- Slackware: detailed security advisory, easy update (slackpkg update ; slackpkg upgrade-all). Easy to check: "ls -lrt /var/log/packages/ | tail"- OpenBSD: very terse security advisory (a couple of lines top - that's too terse for my taste), easy update (syspatch). Easy check (syspatch -l).- NetBSD: detailed security update but complex update. No easy way to check if update has been correctly applied.
(DIR) Post #AOKrjr4m0Zz1fmK8OG by ParadeGrotesque@mastodon.sdf.org
2022-10-07T20:49:32Z
0 likes, 1 repeats
Case in point: NetBSD-SA2022-003 Race condition in mail.local(8).I picked this one because it seemed simple and not very high-stakes.The instructions in the advisory are incorrect. I could not download the update following the instructions in the advisory.Poking around the local #netbsd mirror, I was able to download the latest version of "base.tar.xz", while the advisory talks about "base.tgz". And that copy of the base package is not in the path mentioned in the advisory.
(DIR) Post #AOKsUKMRSYxLorkQPg by ParadeGrotesque@mastodon.sdf.org
2022-10-07T20:57:56Z
0 likes, 0 repeats
Extracting "mail.local" from that archive, I find myself with two identical versions of "mail.local":# ls -srthF /usr/libexec/mail.local*20K /usr/libexec/mail.local* 20K /usr/libexec/mail.local.ORIG(.ORIG file is, of course, the original mail.local)# diff -d -s /usr/libexec/mail.local /usr/libexec/mail.local.ORIGFiles /usr/libexec/mail.local and /usr/libexec/mail.local.ORIG are identicalSo, now, I am confused. Did I download the wrong package? Was #NetBSD 9.3 not affected?
(DIR) Post #AOKsYhi6aaJBOWy3Iu by ParadeGrotesque@mastodon.sdf.org
2022-10-07T20:58:45Z
0 likes, 1 repeats
Extracting "mail.local" from that archive, I find myself with two identical versions of "mail.local":# ls -srthF /usr/libexec/mail.local*20K /usr/libexec/mail.local* 20K /usr/libexec/mail.local.ORIG(.ORIG file is, of course, the original mail.local)# diff -d -s /usr/libexec/mail.local /usr/libexec/mail.local.ORIGFiles /usr/libexec/mail.local and /usr/libexec/mail.local.ORIG are identicalSo, now, I am confused. Did I download the wrong package? Was #NetBSD 9.3 not affected?
(DIR) Post #AOKtIfNlZpSXUlN3HU by ParadeGrotesque@mastodon.sdf.org
2022-10-07T21:07:01Z
0 likes, 0 repeats
And, again, this is a low-stake, low risk, simple update: mail.local bad, don't use it.But the fact remains that a relatively simple advisory is unclear and easy to mess up does not inspire confidence.Compare and contrast with the latest #Slackware advisory ( dhcp - SSA:2022-278-01), which I performed a few minutes ago:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2022&m=slackware-security.485501
(DIR) Post #AOKuOQvMLRUWLUOhO4 by ParadeGrotesque@mastodon.sdf.org
2022-10-07T21:19:18Z
0 likes, 0 repeats
On #Slackware the update process is 2 commands (see my previous messages) and checking the update has been applied is just this:# ls -lrt /var/log/packages/ | tail -1-rw-r--r-- 1 root root 1868 Oct 7 23:05 dhcp-4.4.3_P1-x86_64-1_slack15.0Yup, dhcp has been updated on Oct. 7th. No fuss, no muss.Don't get me wrong: Slackware updates are far from perfect.It still uses HTTP (no 'S'), relies on md5, no GPG sigs, etc... etc... But it is rock-solid and easy to understand.
(DIR) Post #AOKunufisdn9qXEWNE by ParadeGrotesque@mastodon.sdf.org
2022-10-07T21:23:54Z
0 likes, 0 repeats
On #Slackware the update process is 2 commands (see my previous messages) and checking the update has been applied is just this:# ls -lrt /var/log/packages/ | tail -1-rw-r--r-- 1 root root 1868 Oct 7 23:05 dhcp-4.4.3_P1-x86_64-1_slack15.0Yup, dhcp has been updated on Oct. 7th. No fuss, no muss.Don't get me wrong: the Slackware update process is far from perfect.It still uses HTTP (no 'S'), relies on md5, no GPG sigs, etc... etc... But it is rock-solid and easy to understand.
(DIR) Post #AOL0n08bfkFkEYgx4C by netbsd@mastodon.sdf.org
2022-10-07T22:30:56Z
0 likes, 0 repeats
@ParadeGrotesque We don't offer mirrors of the daily snapshots, they're only available from https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/ - maybe that's where you ran into the problem?
(DIR) Post #AOL12vXYX9fUbkxJU8 by ParadeGrotesque@mastodon.sdf.org
2022-10-07T22:33:49Z
0 likes, 0 repeats
@netbsd That explains a lot, yes.Let me retry with that.
(DIR) Post #AOL3S5tdMoKPsIPWqG by ParadeGrotesque@mastodon.sdf.org
2022-10-07T23:00:47Z
0 likes, 0 repeats
@netbsd ... Except I still get an identical "mail.local" even after downloading base.tar.xz from:https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/202210060200Z/amd64/binary/sets/I am still confused... 🤷♂️
(DIR) Post #AOL8K1P4geypOW5SCG by chance@mastodon.sdf.org
2022-10-07T23:55:22Z
0 likes, 1 repeats
@ParadeGrotesque I've tinkered with NetBSD from time to time, and always got stuck on updates.Those base tarballs are never updated with security updates as far as I'm aware.They are only updated during the quarterly package updates.So you're pretty much left with a system that updates every quarter, regardless.I think the package documentation that has you updating your local CVS copy of the pkgsrc tree or downloading those tarballs came from an optimistic time.
(DIR) Post #AOM2D4In6exln4PQCO by fedops@fosstodon.org
2022-10-08T10:06:14Z
0 likes, 0 repeats
@chance @ParadeGrotesque package managers sure are nice.
(DIR) Post #AOM2D52ANxG83ndevQ by ParadeGrotesque@mastodon.sdf.org
2022-10-08T10:21:34Z
0 likes, 0 repeats
@fedops @chance Not just package managers, but detailed information and clear instructions.The best tool is useless if it's undocumented and complex to use.
(DIR) Post #AOM2d0Av4a70WJ5qAy by fedops@fosstodon.org
2022-10-08T10:26:00Z
0 likes, 0 repeats
@ParadeGrotesque absolutely.In the case of package managers though I'd expect the most useful operations to be somewhat intuitive. For example every one I'm familiar with allows you to upgrade all packages in your system, or select only security updates with a minimum of fuss and as few possibilities of mistakes as possible.Also there absolutely has to be an inventory function to show the upgrade status of the system.@chance
(DIR) Post #AOM3kbqFWm4NK2cHAW by netbsd@mastodon.sdf.org
2022-10-08T10:38:50Z
0 likes, 0 repeats
@ParadeGrotesque I've talked to someone on the security team and supposedly the most recent security advisories were written before 9.3 was published - hence, it is not affected and the binaries in 9.3 and netbsd-9 are identical. Talking to them now about making this more obvious in the text..
(DIR) Post #AOMJN0dpGoRYYNZe5I by ParadeGrotesque@mastodon.sdf.org
2022-10-08T13:33:51Z
0 likes, 0 repeats
@netbsd Thanks, I really appreciate that.This is where it gets confusing: I did note the alert was about something fixed previously - but it was not clear if 9.3 was still affected or not.Also, I did not know about "sysupgrade", which raises other questions:- why is not installed by default?- if not by default, at least as an option in the NetBSD installer?- regardless of installation, why is it not mentioned in the advisory?Sorry for being a pain, I appreciate all the hard work!
(DIR) Post #AOMNzw4UaugdUTrcsi by ParadeGrotesque@mastodon.sdf.org
2022-10-08T14:25:42Z
0 likes, 0 repeats
@netbsd Replying to myself... "sysupgrade" does not work on my #netbsd 9.3 VM.And here is the interesting thing - it fails because there is a redirection:Requesting https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/sets/base.tar.xzRedirected to /pub/NetBSD-daily/netbsd-9/202210060200Z/amd64/binary/sets/base.tar.xzftp: Can't lookup `/pub/NetBSD-daily/netbsd-9/202210060200Z/amd64/binary/sets/base.tar.xz:ftp': No address associated with hostnameUsing curl works (with the proper URL!!) and fetches the new "base.tar.xz".