bumbler
September 16th, 2004, 22:31
I've not found anything that explains what happens when a general security fault is found in a FreeBSD port. Obvious example is Mozilla. Everywhere you look, folks are updating Mozilla to 1.7.3 for their OS due to insecurity in handling graphics. How is that usually handled in FreeBSD?
On another note, say this is updated sometime soon. Would I have to download the whole 30MB of source code, or are patches available? I haven't found any place that offers a diff/patch for Mozilla code.
Bumbler
molotov
September 16th, 2004, 22:39
There will patches, however they are not released yet. Part of the problem is the bug isnt in mozilla, its in the way mozilla handles images. Mozilla uses a library to view images, and thats where the hole is, so mozilla could release a patch, but better would just be to patch the whole system by patching the Lib.
In terms of a general security fault, imagine if sshd was found to have a backdoor so if you entered asdf/asdf as the login and pass youd login as root. Usually its something like a 3Meg user name instead of a backdoor, but thats a general security fault. General security faults can usually be avoided by not running unessisary services, and watching for patches to the services you do run.
It is important to understand that these are two different type of problems. The mozilla one youd have to find a page with a bad image on it, where with the ssh example, all the attacker would need is the ip address of your computer to get root access.
I would highly recomend Jon Ericksons book, the art of exploitation. it explains things VERY clearly, and isnt too pricey.
Hope this helps, but feel free to ask any more questions.
elmore
September 17th, 2004, 00:08
if you keep your sources current patches are made available in the port and applied at compile time.  Unfortunately in order to patch a port you'd have to recompile from source or pkg_delete then pkg_add the newer version via ftp.  If there are serious security risks with a port the FreeBSD team will mark the port as broken and it will not build with out altering the Makefile.
bumbler
September 17th, 2004, 09:55
Okay, so it's not Mozilla, per se. In the case of the gdk-pixbuf exploit, announced yesterday (IIRC), I should expect a fix? That's a widely used lib. I have been keeping up with ports tree and system core about weekly during the run up to 5.3-RELEASE.
Bumbler
molotov
September 17th, 2004, 15:51
Yep, there are fixes for some linux distros already (debian), expect fixes soon. A good way to find out when fixes are avalable is to watch buqtraq to find out first the holes and the fixes from the source.
molotov
September 17th, 2004, 22:01
Checkout ports/x11-toolkits/gtk20/files/patch-pixbuf-security