Re: The possibility of malicious code in the Debian unstablelibtool-1.5 package
On Tue, 2003-08-26 at 17:38, Alan W. Irwin wrote: > On 26 Aug 2003, Scott James Remnant wrote: > > > The Debian package is actually Libtool 1.5.0a and is taken from their > > CVS repository, which wasn't compromised. > > > > I agree it takes extreme care to leave no tracks behind so it is fairly > improbable that the cvs server was compromised. And even if an undetected > crack occurred of that server, I agree it would take some effort to rewrite > RCS files (although temporarily putting in a maliciously modified cvs server > could do it). Thus, I agree with your judgement that restoring from cvs is > safe to a fairly large degree. However, GNU have apparently decided not to > restore from cvs since otherwise they should be able to proceed at a much > faster rate than 10-15 restorations per day. Shouldn't debian follow their > lead and be ultra-cautious also (especially with libtool since the downside > is so severe if that app is compromised)? > My tracking of the libtool 1.5 branch of CVS predates the compromise, trust me, there's no naughty code in there. Scott -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist? signature.asc Description: This is a digitally signed message part
Re: The possibility of malicious code in the Debian unstablelibtool-1.5 package
On Tue, 2003-08-26 at 16:23, Alan W. Irwin wrote: > As I am sure most of you on this list are aware, GNU recently discovered > that their ftp file server was owned for many months by a cracker. > Indeed, I was the one who did a bulk-check of the easy MD5 sums and posted it to the list :-) > libtool-1.5.tar.gz is one of those tarballs that has not yet been given a > clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/). > Nevertheless, it has been packaged for debian unstable. > Untrue. The Debian package is actually Libtool 1.5.0a and is taken from their CVS repository, which wasn't compromised. The _orig.tar.gz *is* the potentially compromised one from the FTP site, however any compromise would be reverted back to the uncompromised CVS version by the .diff.gz[0] That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU CVS tree for that release, and there's no differences... as well as obviously manually reading the 1.5 -> 1.5.0a diff before applying it. Unless cvs.gnu.org was also compromised by someone insane enough to rewrite RCS files by hand to hide the modification, libtool in unstable is safe :-) Scott [0] which also accidentally contains some .svn trees, oops! :) -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist? signature.asc Description: This is a digitally signed message part
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, 2003-08-26 at 17:38, Alan W. Irwin wrote: > On 26 Aug 2003, Scott James Remnant wrote: > > > The Debian package is actually Libtool 1.5.0a and is taken from their > > CVS repository, which wasn't compromised. > > > > I agree it takes extreme care to leave no tracks behind so it is fairly > improbable that the cvs server was compromised. And even if an undetected > crack occurred of that server, I agree it would take some effort to rewrite > RCS files (although temporarily putting in a maliciously modified cvs server > could do it). Thus, I agree with your judgement that restoring from cvs is > safe to a fairly large degree. However, GNU have apparently decided not to > restore from cvs since otherwise they should be able to proceed at a much > faster rate than 10-15 restorations per day. Shouldn't debian follow their > lead and be ultra-cautious also (especially with libtool since the downside > is so severe if that app is compromised)? > My tracking of the libtool 1.5 branch of CVS predates the compromise, trust me, there's no naughty code in there. Scott -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist? signature.asc Description: This is a digitally signed message part
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, 2003-08-26 at 16:23, Alan W. Irwin wrote: > As I am sure most of you on this list are aware, GNU recently discovered > that their ftp file server was owned for many months by a cracker. > Indeed, I was the one who did a bulk-check of the easy MD5 sums and posted it to the list :-) > libtool-1.5.tar.gz is one of those tarballs that has not yet been given a > clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/). > Nevertheless, it has been packaged for debian unstable. > Untrue. The Debian package is actually Libtool 1.5.0a and is taken from their CVS repository, which wasn't compromised. The _orig.tar.gz *is* the potentially compromised one from the FTP site, however any compromise would be reverted back to the uncompromised CVS version by the .diff.gz[0] That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU CVS tree for that release, and there's no differences... as well as obviously manually reading the 1.5 -> 1.5.0a diff before applying it. Unless cvs.gnu.org was also compromised by someone insane enough to rewrite RCS files by hand to hide the modification, libtool in unstable is safe :-) Scott [0] which also accidentally contains some .svn trees, oops! :) -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist? signature.asc Description: This is a digitally signed message part