DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD Security

NetBSD Security Securing NetBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th March 2011
c_moriarty c_moriarty is offline
Port Guard
 
Join Date: Mar 2011
Posts: 10
Default NetBSD being a secure OS, yet having a large list of vulnerabilities in its software.

I know that in the NetBSD Guide, it says that NetBSD is a secure operating system, and I've never read anywhere on the internet that it isn't...
But with a huge list of vulnerabilites in its software and nothing being done (at least quickly) to patch them, how secure could it possibly be?
This is what I get when I run pkg_admin audit or audit-packages:
Code:
Package python26-2.6.6nb6 has a sensitive-information-exposure vulnerability, see http://secunia.com/advisories/43463/
Package pango-1.28.3 has a denial-of-service vulnerability, see http://secunia.com/advisories/42934/
Package evince-2.30.3nb5 has a buffer-overflow vulnerability, see https://bugzilla.gnome.org/show_bug.cgi?id=640923
Package samba-3.0.37nb5 has a security-bypass vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
Package samba-3.0.37nb5 has a sensitive-information-exposure vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0926
Package samba-3.0.37nb5 has a security-bypass vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0728
Package automake14-1.4.6 has a insecure-file-permissions vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4029
Package rpm-2.5.4nb6 has a privilege-escalation vulnerability, see http://secunia.com/advisories/40028/
Package suse_base-10.0nb5 has a privilege-escalation vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856
Package suse_freetype2-10.0nb5 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946
Package suse_freetype2-10.0nb5 has a buffer-overflow vulnerability, see http://secunia.com/advisories/41738/
Package suse_freetype2-10.0nb5 has a arbitrary-code-execution vulnerability, see http://secunia.com/advisories/41958/
Package suse_libpng-10.0nb4 has a information-disclosure vulnerability, see http://secunia.com/advisories/35346/
Package suse_libpng-10.0nb4 has a unknown-impact vulnerability, see http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
Package suse_libpng-10.0nb4 has a remote-system-access vulnerability, see http://secunia.com/advisories/40302/
Package suse_libtiff-10.0nb4 has a denial-of-service vulnerability, see http://secunia.com/advisories/40422/
Package suse_gtk2-10.0nb4 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194
Package suse_openssl-10.0nb5 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
Package suse_openssl-10.0nb5 has a signature-spoofing vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0591
Package suse_openssl-10.0nb5 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0789
Package suse_openssl-10.0nb5 has a remote-denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
Package suse_openssl-10.0nb5 has a remote-denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
Package suse_openssl-10.0nb5 has a remote-denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
Package suse_openssl-10.0nb5 has a signature-spoofing vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
Package suse_openssl-10.0nb5 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
Package suse_openssl-10.0nb5 has a session-hijack vulnerability, see http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html
Package suse_openssl-10.0nb5 has a man-in-the-middle-attack vulnerability, see http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00000.html
Package suse_openssl-10.0nb5 has a unknown-impact vulnerability, see http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
Package suse_openssl-10.0nb5 has a remote-system-access vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
Package suse_openssl-10.0nb5 has a remote-system-access vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
Package suse_openssl-10.0nb5 has a remote-security-bypass vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
Package ns-flash-9.0.289 has a remote-system-access vulnerability, see http://www.adobe.com/support/security/bulletins/apsb10-14.html
Package ns-flash-9.0.289 has a remote-system-access vulnerability, see http://www.adobe.com/support/security/bulletins/apsb10-16.html
Package ns-flash-9.0.289 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2884
Package ns-flash-9.0.289 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654
Package ns-flash-9.0.289 has a multiple-vulnerabilities vulnerability, see http://www.adobe.com/support/security/bulletins/apsb11-02.html
Package gimp-2.6.11nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4540
Package gimp-2.6.11nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4541
Package gimp-2.6.11nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4542
Package gimp-2.6.11nb2 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4543
Package qt4-libs-4.7.1nb1 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0046
Package qt4-libs-4.7.1nb1 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0049
Package qt4-libs-4.7.1nb1 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050
Package qt4-libs-4.7.1nb1 has a sensitive-information-exposure vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0051
Package qt4-libs-4.7.1nb1 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0052
Package qt4-libs-4.7.1nb1 has a arbitrary-code-execution vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0054
Package qt4-libs-4.7.1nb1 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2621
Package qt4-libs-4.7.1nb1 has a denial-of-service vulnerability, see http://secunia.com/advisories/40588/
Package ffmpeg-20090611nb8 has a multiple-vulnerabilities vulnerability, see http://secunia.com/advisories/36805/
Package ffmpeg-20090611nb8 has a remote-system-access vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429
Package ffmpeg-20090611nb8 has a denial-of-service vulnerability, see http://secunia.com/advisories/43197/
Package vlc-1.0.6nb5 has a denial-of-service vulnerability, see http://www.videolan.org/security/sa1007.html
Package vlc-1.0.6nb5 has a remote-system-access vulnerability, see http://www.videolan.org/security/sa1102.html
Reply With Quote
  #2   (View Single Post)  
Old 4th March 2011
c_moriarty c_moriarty is offline
Port Guard
 
Join Date: Mar 2011
Posts: 10
Default

Reply With Quote
  #3   (View Single Post)  
Old 4th March 2011
c_moriarty c_moriarty is offline
Port Guard
 
Join Date: Mar 2011
Posts: 10
Default

Practically any package that you install has a list of vulnerabilities in it, so it's either vulnerable or you can't install it.
I've also run:
Code:
cd /usr/pkgsrc
cvs update -dP
and it's been a few days now and not one problem has been fixed. Python was updated, but both the last version and the newest version have vulnerabilities.

Last edited by c_moriarty; 4th March 2011 at 02:32 AM.
Reply With Quote
  #4   (View Single Post)  
Old 4th March 2011
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

All that software with vulnerabilities has nothing to do with NetBSD. NetBSD is fairly secure OS probably second only to OpenBSD. Third party software that you installed is neither written nor maintained by NetBSD team. Please de-install that third party crap and you will have perfectly secure system again.
Reply With Quote
  #5   (View Single Post)  
Old 4th March 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by c_moriarty View Post
But with a huge list of vulnerabilites in its software and nothing being done (at least quickly) to patch them, how secure could it possibly be?
The flaw in your argument is expecting third-party applications (on any platform) to have been sanitized, cleaned up, & sterilized to the point where no bugs exist. There isn't enough manpower in any Open Source project to make this kind of guarantee. Plus, if one project cleaned up all the vulnerabilities, flaws, & other imperfections found in a software package commonly used across multiple platforms, that sanitized version may not resemble the same package on a different platform.

As an example, look at Firefox -- a commonly used browser which is not terribly secure or well implemented. When I use this application on multiple platforms, I expect it to work reasonably the same. Yes, it would nice if the Open Source projects could figure out all of its ills, & while some bugs probably get reported back to the Mozilla project, OS project developers don't have enough personnel to painstakingly analyze each & every third-party application they host. It simply isn't feasible.

What operating system projects can strive for is to implement a platform where errant applications can't take down the remainder of the system. Hopefully, the programming interfaces exposed to applications is consistent, simple, & works as advertised.

So, when projects state how secure they are, they are referencing the base system which is under the total jurisdiction of the project developers themselves. Good as some projects may be, they have limited resources to dedicate to third-party applications.
Reply With Quote
  #6   (View Single Post)  
Old 4th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

The following from OpenBSD says it all and is also applicable to NetBSD:

Quote:
The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 5th March 2011
roarde's Avatar
roarde roarde is offline
Real Name: Robert
New User
 
Join Date: Dec 2010
Location: Georgia, US
Posts: 7
Default

Net(etc)BSD is right to have non-installation of vulnerable packages as the default. This can be overridden on a per-package basis, or generally. The information to evaluate the risk to a given system is there.

It's possible, and probably not too hard, to script automatic acceptance of packages with certain vulnerabilities and not others. If someone would set it up and make it available on a separate basis that'd be great. But it shouldn't be part of a BSD or its packages or ports system; just "well known" among the community.

As for blocking many of the potential attacks at a system interface level, I suppose it's possible for much of this; but that would be even more annoying, hard to implement and maintain, and less transparent. Often the reason for a particular application's problems would be in this layer, but near-impossible to find.
Reply With Quote
  #8   (View Single Post)  
Old 5th March 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Microsoft has 10,000 developers working on the next version of Windows, and even though Vista/7 have been a pretty good improvement on Windows security, you need not look any further than your favorite security site to see that even an army of developers cannot possibly write a perfectly secure OS (not that Microsoft is trying for security as a first priority, though).

The OpenBSD team, on the other hand, has 100-150 or so developers and they DO focus on security and code correctness, and yet they still cannot guarantee third party apps will be secure.
Reply With Quote
  #9   (View Single Post)  
Old 5th March 2011
qmemo's Avatar
qmemo qmemo is offline
Real Name: He
Package Pilot
 
Join Date: Jul 2008
Location: The big B
Posts: 141
Default

@rocket357

That was deep, that was deep :P
Reply With Quote
Old 5th March 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by qmemo View Post
@rocket357

That was deep, that was deep :P
I can't tell if you're being sarcastic or not haha....my sarcasm meter just segfaulted.
Reply With Quote
Old 5th March 2011
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

Quote:
Originally Posted by rocket357 View Post
Microsoft has 10,000 developers working on the next version of Windows
And that's why it will take approximately 469,382,512 thousand years for Windows 9 to released with a version number of 7.0.


Sorry, just had to chime that one in.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 5th March 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

The security of the applications people run on your operating system is not an indication of the overall security of the platform.

However, many techniques are in place on several OS's to help mitigate some well known attack vectors.. like buffer overflow protection and memory space protection.

The point is that the base OS is secure, what you choose to run atop of that is your responsibility to maintain.. even if at the end of the day that means you need to go beyond the realm of supported and apply a few patches and build things yourself.
Reply With Quote
Old 5th March 2011
qmemo's Avatar
qmemo qmemo is offline
Real Name: He
Package Pilot
 
Join Date: Jul 2008
Location: The big B
Posts: 141
Default

@rocket357
in other words, if you meant I made fun of your comment, the answer is NO!
Reply With Quote
Old 5th March 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by qmemo View Post
@rocket357
in other words, if you meant I made fun of your comment, the answer is NO!
Cool. Thanks for clarifying =)

Quote:
Originally Posted by TerryP View Post
And that's why it will take approximately 469,382,512 thousand years for Windows 9 to released with a version number of 7.0.


Sorry, just had to chime that one in.
Indeed. I really wonder how long the next major overhaul is going to take...

How's the saying go? Adding manpower to an already late project...?
Reply With Quote
Old 5th March 2011
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

I really can't fathom trying to bring a product to ship with a large number of sous chefs in the kitchen. Much less a secure one.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 6th March 2011
Mr-Biscuit Mr-Biscuit is offline
Banned
 
Join Date: May 2008
Posts: 272
Default

Microsoft is driven by money, Open Source projects are driven by personal goals.

Considering how small and loosely knit NetBSD is, the project is still a viable contributor.
Reply With Quote
Old 6th March 2011
c_moriarty c_moriarty is offline
Port Guard
 
Join Date: Mar 2011
Posts: 10
Default

I'm assuming that bugs and security issues would be reacted to more quickly in certain Linux distributions (Fedora, OpenSuse, Ubuntu) than they would be in FreeBSD or NetBSD... Isn't that correct? I'm figuring that the best way to install FreeBSD or NetBSD would be to go for a minimal installation, like Fluxbox and a lightweight browser. It keeps everything tidy and small, and there aren't all the security issues happening from having 500 packages installed. That's not really what I want, since I use *BSD or Linux (for now) as the only operating system I have. Windows bores me to death, but one day when I buy a new computer it'll come with Windows installed, obviously. I like using Windows, but I hate learning about it. I like using Linux/*BSD and I like learning about it. But all the security issues and the slow fixes of them on NetBSD and the very slow compilation and installation time on FreeBSD and NetBSD are really making me use Fedora. I want GNOME and everything and constant security updates and bugfixes. I like the BSD's, but I don't have Windows and I'm only using open source operating systems right now, so I really need Fedora to have everything and not have to wait for updates or live with the security problems when I have 500 packages installed like I do when I use Fedora (which I'm doing now).
Reply With Quote
Old 6th March 2011
c_moriarty c_moriarty is offline
Port Guard
 
Join Date: Mar 2011
Posts: 10
Default

Code:
[c_moriarty@home ~]$ rpm -qa | wc -l
1188
rpm tells me I have 1,188 packages installed using Fedora 14 with Gnome.
Reply With Quote
Old 6th March 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by c_moriarty View Post
I'm assuming that bugs and security issues would be reacted to more quickly in certain Linux distributions (Fedora, OpenSuse, Ubuntu) than they would be in FreeBSD or NetBSD... Isn't that correct?
Absolutely not...especially at the kernel level. Linus Torvalds himself said (summarization): "security bugs are just bugs...they'll get fixed in line with all the other bugs."

http://www.zdnet.com.au/torvalds-cri...-339290671.htm
Reply With Quote
Old 6th March 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by c_moriarty View Post
I'm assuming that bugs and security issues would be reacted to more quickly in certain Linux distributions (Fedora, OpenSuse, Ubuntu) than they would be in FreeBSD or NetBSD...
I wouldn't (& don't...) accept this premise at face value. I suspect you are attempting to equate commercial ventures with rapid responses. I wouldn't take this as an indisputable fact.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot copy large files to Flash Drive sharris FreeBSD General 6 30th July 2010 09:57 AM
Have problem transfer large file bigger 1GB bsdme2 FreeBSD General 9 14th January 2009 05:49 AM
Large MFS filesystems jggimi Guides 2 26th October 2008 05:17 PM
mirror device detached on large file copy lil_elvis2000 FreeBSD General 24 27th June 2008 02:56 PM
FreeBSD 7.0 Writing large amount to USB Disc cause kernel panic pvree FreeBSD General 1 13th June 2008 02:50 AM


All times are GMT. The time now is 10:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick