Hi Steven, On Montag, 21. Dezember 2015, Steven Chamberlain wrote: > One of the reproducible builds talk slides, showed a diff of OpenSSH > before and after some off-by-one vulnerability was fixed. > > Here's a real-world malicious backdoor in Juniper ScreenOS's sshd: > https://community.rapid7.com/servlet/JiveServlet/showImage/38-7376-36434/ss > h.png The yellow highlighted string allows login as any user. Full > article: > https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-77 > 55-juniper-screenos-authentication-backdoor
"neato" :/ https://github.com/hdm/juniper-cve-2015-7755/tree/master/firmware has links to the actual firmware images, I would appreciate if someone could throw them against (my.)diffoscope.org and share the links…! > Whilst this may have been added in source code, it was well-disguised in > the disassembly and just 7 instructions long. I thought this was a good > example of the current state-of-the-art, and why we'd like our binaries > and eventually, installer and VM images reproducible IMHO. indeed! thanks for sharing this here! cheers, Holger
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds