freebsd-update and portsnap users still at risk of compromise
RW
rwmaillists at googlemail.com
Wed Aug 10 13:34:10 UTC 2016
On Fri, 29 Jul 2016 03:49:39 +0000
Martin Schroeder wrote:
> I've been analyzing the document extensively since then. The targets
> are as follows:
>
> [1] portsnap via portsnap vulnerabilities
> [2] portsnap via libarchive & tar anti-sandboxing vulnerabilities
> [3] portsnap via bspatch vulnerabilities
I only had a quick look so I might have missed something - am I right
in thinking that all the portsnap attacks rely on an attacker
substituting the initial tarball?
If so then then fixing this doesn't really effect existing users in the
short term. Either you're already compromised, or your snapshot will
remain secure until you manually delete it.
More information about the freebsd-security
mailing list