View previous topic :: View next topic |
Author |
Message |
mellofone Apprentice


Joined: 13 Apr 2002 Posts: 286
|
|
Back to top |
|
 |
dioxmat Bodhisattva

Joined: 04 May 2002 Posts: 709 Location: /home/mat
|
Posted: Thu Aug 01, 2002 12:24 pm Post subject: |
|
|
doesnt apply to gentoo.
the openbsd ftp server (which is hosted by Sun, on solaris servers :) was cracked and some packages on it were modified, including openssh, but there might be others.
Since gentoo doesnt uses openbsd's ftp, no problem for us :)
remember, always check the md5sum of files you're downloading :) _________________ mat |
|
Back to top |
|
 |
mellofone Apprentice


Joined: 13 Apr 2002 Posts: 286
|
Posted: Thu Aug 01, 2002 12:32 pm Post subject: |
|
|
dioxmat wrote: | doesnt apply to gentoo.
the openbsd ftp server (which is hosted by Sun, on solaris servers was cracked and some packages on it were modified, including openssh, but there might be others.
Since gentoo doesnt uses openbsd's ftp, no problem for us
remember, always check the md5sum of files you're downloading  |
I wasn't aware where gentoo originally got the file... |
|
Back to top |
|
 |
dioxmat Bodhisattva

Joined: 04 May 2002 Posts: 709 Location: /home/mat
|
|
Back to top |
|
 |
klieber Administrator


Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Thu Aug 01, 2002 12:57 pm Post subject: |
|
|
Well, the files on ibiblio have to come from somewhere, don't they? The gentoo developers must have downloaded the source from another server at some point, though I imagine if the source they were using had the trojan in it, we would have heard about it by now.
For anyone who's especially concerned about this, simply untar the ibiblio source and search for the trojan code. (mentioned in the link above) If you do this, please post the results here so others can sleep easier at night, too.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
 |
mellofone Apprentice


Joined: 13 Apr 2002 Posts: 286
|
Posted: Thu Aug 01, 2002 1:03 pm Post subject: |
|
|
klieber wrote: | Well, the files on ibiblio have to come from somewhere, don't they? The gentoo developers must have downloaded the source from another server at some point, though I imagine if the source they were using had the trojan in it, we would have heard about it by now.
--kurt |
That's what I meant  |
|
Back to top |
|
 |
dioxmat Bodhisattva

Joined: 04 May 2002 Posts: 709 Location: /home/mat
|
Posted: Thu Aug 01, 2002 1:17 pm Post subject: |
|
|
well, anyway, I doubt the packages come from ftp.openbsd.org :)
anyway, I downloaded the file from ibiblio.org.
it doesnt contains the troyan... (anyway, since the troyan lies in openbsd-compat/, gentoo isnt affected...) _________________ mat |
|
Back to top |
|
 |
klieber Administrator


Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Thu Aug 01, 2002 1:27 pm Post subject: |
|
|
dioxmat wrote: | well, anyway, I doubt the packages come from ftp.openbsd.org  |
Actually, I'd bet they *did* come from openbsd.org. The main download site for the linux version of OpenSSH is openbsd.org. The "open" in both names isn't coincidence -- both projects are related. (Theo de Raadt is the lead developer on both, I believe)
dioxmat wrote: | anyway, I downloaded the file from ibiblio.org.
it doesnt contains the troyan... (anyway, since the troyan lies in openbsd-compat/, gentoo isnt affected...) |
Good to know. Thanks for checking.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
 |
klieber Administrator


Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Thu Aug 01, 2002 1:46 pm Post subject: |
|
|
Since this is primarily a BSD issue, I'm moving this thread to In Other News.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
 |
chrb n00b

Joined: 23 Jun 2002 Posts: 19
|
Posted: Thu Aug 01, 2002 1:57 pm Post subject: |
|
|
its a shame that emerge requires you to be root to do the compile. It only really needs to be root to merge stuff into the local filesystem, and it would avoid giving a root shell to a trojaned package like this. The actual merge would still be done as root but it should avoid overwriting files from other packages by default. This would avoid any build trojans getting root, unless you run the built binary as root later which is unlikely for 99% of packages. The worst you get from trojaned source is an unpriviledged shell. |
|
Back to top |
|
 |
klieber Administrator


Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Thu Aug 01, 2002 2:00 pm Post subject: |
|
|
sounds like a good topic for gentoo suggestions and/or feature request on bugs.gentoo.org.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
 |
dioxmat Bodhisattva

Joined: 04 May 2002 Posts: 709 Location: /home/mat
|
Posted: Thu Aug 01, 2002 2:20 pm Post subject: |
|
|
I agree about the root issue, someone post it somewhere and come back tell us please :)
about the openbsd.org being the server I though this was openssh.com and that the 2 were separated... maybe they arent, maybe they are. oh well :)
the thing is, we should check this package a bit more imho. there might be another troyan hidden somewhere... _________________ mat |
|
Back to top |
|
 |
abhishek Retired Dev


Joined: 28 Jun 2002 Posts: 393 Location: Los Angeles, CA
|
Posted: Thu Aug 01, 2002 3:30 pm Post subject: |
|
|
dioxmat wrote: | doesnt apply to gentoo.
the openbsd ftp server (which is hosted by Sun, on solaris servers was cracked and some packages on it were modified, including openssh, but there might be others.
Since gentoo doesnt uses openbsd's ftp, no problem for us
remember, always check the md5sum of files you're downloading  |
Actually if ur emerging it this shouldnt be a problem becaule portage automatically checks the md5sum. |
|
Back to top |
|
 |
dioxmat Bodhisattva

Joined: 04 May 2002 Posts: 709 Location: /home/mat
|
Posted: Thu Aug 01, 2002 3:45 pm Post subject: |
|
|
yes...
however, I wouldnt rely on md5sum checks for security problems, since it can be changed too (it wasnt changed for the openbsd package, because the guys who cracked the server are dumb, but thats another story :) ... and, anyway, we dont know if the md5sum come from the server or was calculated by the guys who put it on iblio when they put the package on it.
for security problems, we should check the gpg sig if included (cant be fooled since the gpg sig come from a developer most of the time :) _________________ mat |
|
Back to top |
|
 |
gotak n00b


Joined: 08 Jul 2002 Posts: 17
|
Posted: Thu Aug 01, 2002 4:14 pm Post subject: There's no point |
|
|
What's the differences does it really make to have emerge run as non root until install anyhow?
In this cause alot but if the actual program's trojaned you'll still get rooted when the program's actually copied to it's final location.
The only situation that i can see would help with emerge not running as root is if emerge itself has a bug exploitable from outside. But again you have you run emerge so that's not an easy bug to get at.
Finially the change date on the trojaned tar ball is july 31st. So unless gentoo's copy came in yesterday or later we are fine. And i just checked we are fine. Or should be anyhow don't take my word for it. |
|
Back to top |
|
 |
trythil Tux's lil' helper


Joined: 06 Jun 2002 Posts: 123 Location: RHIT, Terre Haute, IN, USA
|
Posted: Fri Aug 02, 2002 4:04 am Post subject: |
|
|
It makes a big difference. In this case, the trojan was in the OpenSSH configure stage, which is run as root. If this trojan were to activate as an unprivileged user it would be active as just that.
Besides, one security maxim is that you should NEVER do ANYTHING that does NOT require special privileges as a privileged user. Compilation of binaries does not require special privileges; you can easily create a group "portage" (or something) and just cause portage to run as that until final install, when it can request setuid root and do the copying. (Even better would be a system that requested the user to enter the root password before it emerged anything, but that could get tedious.) |
|
Back to top |
|
 |
dioxmat Bodhisattva

Joined: 04 May 2002 Posts: 709 Location: /home/mat
|
Posted: Fri Aug 02, 2002 7:58 am Post subject: |
|
|
I agree with trythil.
besides, we could have a portage group that have write acess to /usr and such, so that even the install would not require you to be logged as root... _________________ mat |
|
Back to top |
|
 |
chrb n00b

Joined: 23 Jun 2002 Posts: 19
|
|
Back to top |
|
 |
|