Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo github hacked
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5487
Location: Removed by Neddy

PostPosted: Thu Jun 28, 2018 10:05 pm    Post subject: Gentoo github hacked Reply with quote

https://gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html

Quote:
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.

This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.

Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.

All Gentoo commits are signed, and you should verify the integrity of the signatures when using git.


Well I am using git.gentoo.org so phew :) but shouldn't aspects of the portage tree be sunk from different infra? ie manifest from one, ebuilds from another
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1370

PostPosted: Thu Jun 28, 2018 10:20 pm    Post subject: Arrrgh: Gentoo git on github.com hacked Reply with quote

https://www.gentoo.org/ shows:
----
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.

This does NOT affect any code hosted on the Gentoo infrastructure.
----
I just had as first line of every ebuld:
rm /*

So I can see, that the aggressor is (hopefully) not any kind of an expert of gentoo systems :)
_________________
fun2gen2
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2686
Location: Illinois, USA

PostPosted: Thu Jun 28, 2018 10:21 pm    Post subject: Reply with quote

Thanks! I've commented out my nightly sync from crontab and restarted vixie-cron. Then I used scp to copy the tree from one of the workstation boxes that hasn't been updated since Sunday to the central server, in case it was polluted.

EDIT We're seeing that famed Microsoft security.
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1370

PostPosted: Thu Jun 28, 2018 10:31 pm    Post subject: Reply with quote

https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ...
_________________
fun2gen2
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1385

PostPosted: Thu Jun 28, 2018 10:40 pm    Post subject: Reply with quote

Is this safe or compromised?
Code:

tux ~ # cat /etc/portage/repos.conf/gentoo.conf
[DEFAULT]
main-repo = gentoo

[gentoo]
location = /usr/portage
sync-type = rsync
sync-uri = rsync://rsync.gentoo.org/gentoo-portage
auto-sync = yes
sync-rsync-verify-jobs = 1
sync-rsync-verify-metamanifest = yes
sync-rsync-verify-max-age = 24
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
sync-openpgp-key-refresh-retry-count = 40
sync-openpgp-key-refresh-retry-overall-timeout = 1200
sync-openpgp-key-refresh-retry-delay-exp-base = 2
sync-openpgp-key-refresh-retry-delay-max = 60
sync-openpgp-key-refresh-retry-delay-mult = 4

_________________
Thank you for your attention, interest and support.
------------------------------------------------------------------
http://radio.garden/
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5487
Location: Removed by Neddy

PostPosted: Thu Jun 28, 2018 10:47 pm    Post subject: Reply with quote

thats using rsync so that should be ok, especially with the additional checks recently added
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Whissi
Developer
Developer


Joined: 12 Jan 2011
Posts: 25

PostPosted: Thu Jun 28, 2018 10:51 pm    Post subject: Reply with quote

ulenrich wrote:
https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ...
No. Please don't spread false rumors. https://github.com/gentoo-mirror is a separate orga account which is not affected.

https://github.com/gentoo-mirror/gentoo is larger because it also contains pre-generated meta data like our rsync mirrors.
_________________
Regards,
Whissi
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41720
Location: 56N 3W

PostPosted: Thu Jun 28, 2018 10:55 pm    Post subject: Reply with quote

Merged the two topics and stuck the result as there will be a lot of community interest.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1370

PostPosted: Fri Jun 29, 2018 1:22 am    Post subject: Reply with quote

I am pretty sure github.com/gentoo-mirrors
also is hacked: As soon as I realized the github.com/gentoo git is paralized
(I tried to enter the website, but only got response from github via firefox,
that the repository user does not exist)

I did try the github.com/gentoo-mirrors organisation, and experienced:

1. That sync worked the first time on github.com/gentoo-mirrors
2. But because of the trouble before, I had removed all of my scripts at /etc/portage/postsync.d
therefore I repositioned now the scripts to postsync.d and immedeately let follow another "emerge --sync"
... just to let the scripts work after the very soon new sync. Now, I only intended an empty, early sync:
3. emerge --sync on github.com/gentoo-mirrors
got a very lot of new objects now: about 4 times the normal load
4. Because it didn't stop the awful lot to download I interrupted that and
5. deleted all of the portage tree

Until that time, I had not looked at www.gentoo.org for the news ...
_________________
fun2gen2
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1370

PostPosted: Fri Jun 29, 2018 1:30 am    Post subject: Reply with quote

Whissi wrote:
ulenrich wrote:
https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ...
No. Please don't spread false rumors. https://github.com/gentoo-mirror is a separate orga account which is not affected.

https://github.com/gentoo-mirror/gentoo is larger because it also contains pre-generated meta data like our rsync mirrors.


But why my strange experience as I had described above:
The second sync immedeately after the first did download 4 time more new objects!

???

PS: And, is there a way to use that git repository without the metada?
_________________
fun2gen2
Back to top
View user's profile Send private message
duane
n00b
n00b


Joined: 03 Jun 2002
Posts: 29
Location: Oklahoma City

PostPosted: Fri Jun 29, 2018 2:12 am    Post subject: Reply with quote

Tony0945 wrote:
EDIT We're seeing that famed Microsoft security.


I hate to admit it, but that's one of the first things that popped into my head. Then I started thinking, "This is pretty obvious. Maybe it's a feint, to distract people from a more serious hack."

I hope there's no way any signing keys could be compromised.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5327

PostPosted: Fri Jun 29, 2018 2:22 am    Post subject: Reply with quote

I doubt anything happened to any keys, but the attacker apparently wasn't very smart to begin with; it's unlikely they'd even know what to do with such a thing if they had it.
Back to top
View user's profile Send private message
slackline
Veteran
Veteran


Joined: 01 Apr 2005
Posts: 1407
Location: /uk/sheffield

PostPosted: Fri Jun 29, 2018 7:01 am    Post subject: Reply with quote

For those who sync using git current safe settings are therefore...

/etc/portage/repos.conf/gentoo:

[DEFAULT]
main-repo = gentoo

[gentoo]
location = /usr/portage
# Disable rsync
#sync-type = rsync
#sync-uri = rsync://rsync.gentoo.org/gentoo-portage
sync-type = git
# Either of these two are fine
#sync-uri = https://github.com/gentoo-mirror/gentoo.git
sync-uri = https://gitweb.gentoo.org/repo/gentoo.git
auto-sync = yes
priority = 1000


If you want to switch back to rsync you will likely need to add the following (as emerge reports if you don't have it)...

Code:

sync-rsync-vcs-ignore = true

_________________
"Science is what we understand well enough to explain to a computer.  Art is everything else we do." - Donald Knuth
Back to top
View user's profile Send private message
Marcih
Tux's lil' helper
Tux's lil' helper


Joined: 19 Feb 2018
Posts: 129

PostPosted: Fri Jun 29, 2018 9:31 am    Post subject: Reply with quote

http://boards.4chan.org/g/ wrote:
Haha, let me interject, hahaha Winbabbies, N00buntu, install Gentoo XDDDDD
Also http://boards.4chan.org/g/ wrote:
Woah mane, let's hack Gentoo's Git, it's for teh lulz XD, le legion XDDDD

Looks like summer has officially arrived.
If they had at least taken the time to target Gentoo's actual repositories, the ones 99% of users rsync with. We should be glad that didn't happen, of course.
_________________
Bones McCracker wrote:
It wouldn't be so bad, if it didn't suck.
Back to top
View user's profile Send private message
marax_faraii
n00b
n00b


Joined: 11 Apr 2016
Posts: 40

PostPosted: Fri Jun 29, 2018 10:01 am    Post subject: Recent news of Gentoo git being hacked Reply with quote

I've been using the git repo basically for the only reason it was faster. As I normal user, that matters for some reason unbeknownst :P

On that note, instead of having it on github, wouldn't it be beneficial for the devs to host on own infrastructure using gitlab?
Back to top
View user's profile Send private message
simonvanderveldt
Tux's lil' helper
Tux's lil' helper


Joined: 26 Jan 2016
Posts: 92

PostPosted: Fri Jun 29, 2018 10:20 am    Post subject: Re: Recent news of Gentoo git being hacked Reply with quote

marax_faraii wrote:
I've been using the git repo basically for the only reason it was faster. As I normal user, that matters for some reason unbeknownst :P

On that note, instead of having it on github, wouldn't it be beneficial for the devs to host on own infrastructure using gitlab?

It's irrelevant where it's hosted if people with access aren't taking care of their basic security
Back to top
View user's profile Send private message
f.kater
Guru
Guru


Joined: 23 May 2002
Posts: 342
Location: Berlin

PostPosted: Fri Jun 29, 2018 11:16 am    Post subject: On github hack: Comparing repositories Reply with quote

To check whether my git-based portage trees that I downloaded from github are
sane, I've downloaded another portage tree as a tar file which is hopefully
ok.

IMHO comparing the DIST lines of the Manifest entries for all ebuild versions
between the two repos should reveal whether the current repo has compromised
entries, correct?

So, I've been using the following script to do so. You need to adjust the two
path variables portage_check and portage_safe to your local repositories.
Note: Large Manifest files take a while, all in all about 1 hour on my box.

Code:

#!/bin/bash

portage_check="/usr/portage"
portage_safe="/usr/portage-rsync"

pushd . &> /dev/null
cd ${portage_check}

printf "\n"

for file1 in $(find . -name "Manifest" -print0 | sort -z | xargs -r0)
do
   nlines=$(cat ${file1} | wc -l)
   count=0

   while read -r line
   do
      count=$((${count} + 1))

      printf "\r%-78s" "CHECKING ${file1} (line: ${count}/${nlines})"

      IFS=' ' read -r f1 f2 f3 f4 f5 f6 <<<"$line"
      if [[ "${f1}" == "DIST" ]]; then

         file2=${portage_safe}/${file1}
         if [[ ! -f ${file2} ]]; then
            printf "\nMANIFEST NOT FOUND: ${file2}\n"
            continue
         fi

         # scan rsync manifest file for this entry
         while read -r line2
         do
            IFS=' ' read -r g1 g2 g3 g4 g5 g6 <<<"$line2"

            if [[ "${g1}" == "DIST" && "${g2}" == "${f2}" ]]; then
               if [[ "${f5}" != "${g5}" ]]; then
                  printf "\nHASH DIFFERS: ebuild ${g2}\n"
               fi
            fi
         done <"${file2}"
      fi
   done <"${file1}"
done

printf "\nDONE\n"

popd &> /dev/null

[/code]
Back to top
View user's profile Send private message
Yamakuzure
Advocate
Advocate


Joined: 21 Jun 2006
Posts: 2261
Location: Bardowick, Germany

PostPosted: Fri Jun 29, 2018 11:49 am    Post subject: Reply with quote

duane wrote:
Tony0945 wrote:
EDIT We're seeing that famed Microsoft security.


I hate to admit it, but that's one of the first things that popped into my head.
Guys, you do know that Microsoft does not own Github, yet, right? :wink:
Microsoft wrote:
Subject to customary closing conditions and completion of regulatory review, the acquisition is expected to close by the end of the calendar year.

_________________
Important German:
  1. "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
  2. "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
Back to top
View user's profile Send private message
AngelKnight
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jan 2003
Posts: 126

PostPosted: Fri Jun 29, 2018 12:09 pm    Post subject: Re: Recent news of Gentoo git being hacked Reply with quote

The notice is potentially confusing to folks who didn't know [1] or care that the Gentoo folks maintained more than one Github organization.

An answer to the following question would be useful:

Are URLs that start https://github.com/gentoo-mirror/ safe?

Answers:

  • yes
  • no
  • not sure/maybe


For now I'm proceeding with no since that's the safest answer for me, but some explicit clarity on this would make it easier to know what's definitely risky as a result of this compro.

[1] I'm one of those
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6229
Location: Room 101

PostPosted: Fri Jun 29, 2018 12:23 pm    Post subject: Re: Recent news of Gentoo git being hacked Reply with quote

AngelKnight wrote:
An answer to the following question would be useful: Are URLs that start https://github.com/gentoo-mirror/ safe?

AngelKnight ... yes ... 'gentoo-mirror' is a separate account, see here.

best ... khay
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6229
Location: Room 101

PostPosted: Fri Jun 29, 2018 12:31 pm    Post subject: Reply with quote

Tony0945 wrote:
EDIT We're seeing that famed Microsoft security.

duane wrote:
I hate to admit it, but that's one of the first things that popped into my head.

Yamakuzure wrote:
Guys, you do know that Microsoft does not own Github, yet, right? :wink:

Yamakuzure ... hold my beer ... you think microsoft would buy it if it didn't suck security wise? ;)

(not that I think the account was compromised by anything other than actions taken by those maintaining the repo).

best ... khay
Back to top
View user's profile Send private message
dalu
Guru
Guru


Joined: 20 Jan 2003
Posts: 487

PostPosted: Fri Jun 29, 2018 12:38 pm    Post subject: Reply with quote

M$ buys Github, Gentoo gets hacked.

It's either an inside job to protest the M$ acquisition, some kids acting stupid or actually M$/affiliates doing their magic.
Either case it's not the 1st time Gentoo repos were "hacked".

And this is just the epitomy of the chaos and intransparency Gentoo is.
Back to top
View user's profile Send private message
AngelKnight
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jan 2003
Posts: 126

PostPosted: Fri Jun 29, 2018 12:42 pm    Post subject: Re: Recent news of Gentoo git being hacked Reply with quote

khayyam wrote:
AngelKnight ... yes ... 'gentoo-mirror' is a separate account, see here.

best ... khay


Cheers, my search-fu failed.
Back to top
View user's profile Send private message
Chiitoo
Administrator
Administrator


Joined: 28 Feb 2010
Posts: 1622
Location: Here and Away Again

PostPosted: Fri Jun 29, 2018 1:15 pm    Post subject: ><)))°€ Reply with quote

Merged the topic 'Recent news of Gentoo git being hacked' with its total of six (6) posts, as well as the topic 'On github hack: Comparing repositories', with its single starter post so as to not have several topics about the issue (unless there's a very good reason for it).
_________________
Kind Regards,
~ The Noob Unlimited ~

Sore wa sore, kore wa kore.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6229
Location: Room 101

PostPosted: Fri Jun 29, 2018 1:20 pm    Post subject: Reply with quote

f.kater ...

that criteria of validity could only be true of the tree was modified on a gentoo host, the manifests rebuilt subsequently (using 'ebuild' or 'repoman'), and then those changes pushed. If the reports so far suggest anything it's that those responcible have no idea what they were doing ... and so that is highly unlikely to be the case.

... and btw:

f.kater wrote:
Code:
nlines=$(cat ${file1} | wc -l)

... useless use of cat:

Code:
nlines=$(wc -l < "$file")

best ... khay
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2, 3, 4  Next
Page 1 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum