Security leak: Public disclosure of user data without their consent by installing software via pkg
Gordon Tetlow
gordon at tetlows.org
Tue Apr 6 14:56:24 UTC 2021
On Apr 6, 2021, at 7:42 AM, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
>
> On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote:
>> On 06/04/2021 16:27, Shawn Webb wrote:
>>
>>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the
>>> report with the BSDStats project, not FreeBSD.
>>> 2. You install a package that is made to submit statistical data.
>>> 3. You're upset that it submits statistical data?
>>
>> The problem here is that it collects and sends data right at the install
>> time. It is really unexpected to run installed package without user consent.
>> If you install Apache, MySQL or any other package the command / daemon is no
>> run by "pkg install" command.
>> This must be avoided.
>
> It's probably easier to submit a patch than it is to write a
> lolwut-type email. All you gotta do is rm the post-install script.
> Also `pkg install` has the -I option. But whatever, let the lolwut
> mentality prevail!
I had a conversation on the side with the requestor. In short, there is already a patch to address this issue in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152 <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152>. Not sure why it hasn't been committed yet, but hopefully it gets picked up shortly.
Gordon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210406/5262719c/attachment.sig>
More information about the freebsd-security
mailing list