Correcting SECURITY warning.

Submitted by:	Kris Kennaway
Reviewed by:	Warner Losh
This commit is contained in:
chuckr 2000-01-29 21:44:42 +00:00
parent ed1d6704fb
commit dcf1104bb0
2 changed files with 32 additions and 22 deletions

View File

@ -225,15 +225,12 @@ option.
.Pp
.Sh SECURITY
.Pp
CTM is an
.Bf Em
INSECURE PROTOCOL
.Ef
On its own, CTM is an insecure protocol
- there is no authentication performed that the
changes applied to the source code were sent by a
trusted party, and so care should be taken if the
CTM deltas are obtained via an unauthenticated
medium such as email.
medium such as regular email.
It is a relatively simple matter for an attacker
to forge a CTM delta to replace or precede the
legitimate one and insert malicious code into your
@ -243,12 +240,20 @@ arriving, this will go unnoticed until a later
delta attempts to touch the same file, at which
point the MD5 checksum will fail.
.Pp
A future version of
.Fx
may solve this problem by authenticating CTM
deltas using cryptographic signatures, but in the
mean time it is strongly recommended that you
obtain the CTM deltas via FTP, and not via email.
To remedy this insecurity, CTM pieces generated by
freebsd.org are cryptographically signed in a
format compatible with the GNU Privacy Guard
utility, available in /usr/ports/security/gpg, and
the Pretty Good Privacy v5 utility,
/usr/ports/security/pgp5.
The relevant public key can be obtained by
fingering ctm@freebsd.org.
.Pp
CTM deltas which are thus signed cannot be
undetectably altered by an attacker.
Therefore it is recommended that you make use of
GPG or PGP5 to verify the signatures if you
receive your CTM deltas via email.
.Sh ENVIRONMENT
.Ev TMPDIR,
if set to a pathname, will cause ctm to use that pathname

View File

@ -365,15 +365,12 @@ to execute
on the (non-FreeBSD) machine that this example was taken from.
.Sh SECURITY
.Pp
CTM is an
.Bf Em
INSECURE PROTOCOL
.Ef
On its own, CTM is an insecure protocol
- there is no authentication performed that the
changes applied to the source code were sent by a
trusted party, and so care should be taken if the
CTM deltas are obtained via an unauthenticated
medium such as email.
medium such as regular email.
It is a relatively simple matter for an attacker
to forge a CTM delta to replace or precede the
legitimate one and insert malicious code into your
@ -383,12 +380,20 @@ arriving, this will go unnoticed until a later
delta attempts to touch the same file, at which
point the MD5 checksum will fail.
.Pp
A future version of
.Fx
may solve this problem by authenticating CTM
deltas using cryptographic signatures, but in the
mean time it is strongly recommended that you
obtain the CTM deltas via FTP, and not via email.
To remedy this insecurity, CTM delta pieces generated by
freebsd.org are cryptographically signed in a
format compatible with the GNU Privacy Guard
utility, available in /usr/ports/security/gpg, and
the Pretty Good Privacy v5 utility,
/usr/ports/security/pgp5.
The relevant public key can be obtained by
fingering ctm@freebsd.org.
.Pp
CTM deltas which are thus signed cannot be
undetectably altered by an attacker.
Therefore it is recommended that you make use of
GPG or PGP5 to verify the signatures if you
receive your CTM deltas via email.
.\" This next request is for sections 1, 6, 7 & 8 only
.Sh ENVIRONMENT
If deltas are to be applied then