As I am sure most of you on this list are aware, GNU recently discovered that their ftp file server was owned for many months by a cracker. They rightly withdrew all their many source tarballs to check for malicious code. The old tarballs were quickly reinstated (presumably because they had backups from prior to when the cracker owned them) and also found to be free of malicious code. There are still some 500 of these newer tarballs for GNU to check and apparently they are doing it at a rate of 10-15 per day.
libtool-1.5.tar.gz is one of those tarballs that has not yet been given a clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/). Nevertheless, it has been packaged for debian unstable. There is some room for optimism that the tarball used to create that package does not have malicious code in it (since the older tarballs that have been checked do seem to be clean), but the cracker did have full control when that tarball was created and for many months afterward, and the downside (many Debian packages compromised that are built with libtool-1.5) could be severe indeed. Thus, wouldn't it be the right thing to do to withdraw the Debian unstable libtool-1.5 package until GNU has a chance to check the tarball? (And of course after the checked version is available, the tarball used to create the current package should be checked against it to make sure nothing malicious got propagated while the libtool-1.5 package was available). Note, I run debian stable myself, and I only happened to notice this possible libtool-1.5 security problem for Debian unstable by chance. Since there doesn't seem to be any discussion of this issue on this list (and no libtool bug reports about this issue) I thought I had better bring it up for discussion. Alan W. Irwin __________________________ Alan W. Irwin email: [EMAIL PROTECTED] phone: 250-727-2902 Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the PLplot scientific plotting software package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
