Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote: > Thus, wouldn't it be the right thing to do to withdraw the Debian unstable > libtool-1.5 package until GNU has a chance to check the tarball? (And of > course after the checked version is available, the tarball used to create > the current package should be checked against it to make sure nothing > malicious got propagated while the libtool-1.5 package was available). Would it not be the right thing to simply run diff between the source in testing (assuming that predates the crack) and the one in unstable and look for suspicious code? It doesn't take somebody operating in an official GNU capacity to confirm that there's no malicious code there. noah pgp0.pgp Description: PGP signature
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On 26 Aug 2003, Scott James Remnant wrote: > My tracking of the libtool 1.5 branch of CVS predates the compromise, > trust me, there's no naughty code in there. Thanks for that strong public reassurance and the useful discussion that preceded it. Alan __ Alan W. Irwin email: [EMAIL PROTECTED] phone: 250-727-2902 Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the PLplot scientific plotting software package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project (lbproject.sf.net). __ Linux-powered Science __
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, 2003-08-26 at 17:38, Alan W. Irwin wrote: > On 26 Aug 2003, Scott James Remnant wrote: > > > The Debian package is actually Libtool 1.5.0a and is taken from their > > CVS repository, which wasn't compromised. > > > > I agree it takes extreme care to leave no tracks behind so it is fairly > improbable that the cvs server was compromised. And even if an undetected > crack occurred of that server, I agree it would take some effort to rewrite > RCS files (although temporarily putting in a maliciously modified cvs server > could do it). Thus, I agree with your judgement that restoring from cvs is > safe to a fairly large degree. However, GNU have apparently decided not to > restore from cvs since otherwise they should be able to proceed at a much > faster rate than 10-15 restorations per day. Shouldn't debian follow their > lead and be ultra-cautious also (especially with libtool since the downside > is so severe if that app is compromised)? > My tracking of the libtool 1.5 branch of CVS predates the compromise, trust me, there's no naughty code in there. Scott -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist? signature.asc Description: This is a digitally signed message part
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On 26 Aug 2003, Scott James Remnant wrote: > The Debian package is actually Libtool 1.5.0a and is taken from their > CVS repository, which wasn't compromised. > > The _orig.tar.gz *is* the potentially compromised one from the FTP site, > however any compromise would be reverted back to the uncompromised CVS > version by the .diff.gz[0] > > That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU > CVS tree for that release, and there's no differences... as well as > obviously manually reading the 1.5 -> 1.5.0a diff before applying it. > > Unless cvs.gnu.org was also compromised by someone insane enough to > rewrite RCS files by hand to hide the modification, libtool in unstable > is safe :-) I agree it takes extreme care to leave no tracks behind so it is fairly improbable that the cvs server was compromised. And even if an undetected crack occurred of that server, I agree it would take some effort to rewrite RCS files (although temporarily putting in a maliciously modified cvs server could do it). Thus, I agree with your judgement that restoring from cvs is safe to a fairly large degree. However, GNU have apparently decided not to restore from cvs since otherwise they should be able to proceed at a much faster rate than 10-15 restorations per day. Shouldn't debian follow their lead and be ultra-cautious also (especially with libtool since the downside is so severe if that app is compromised)? Alan __ Alan W. Irwin email: [EMAIL PROTECTED] phone: 250-727-2902 Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the PLplot scientific plotting software package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project (lbproject.sf.net). __ Linux-powered Science __
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, 2003-08-26 at 16:23, Alan W. Irwin wrote: > As I am sure most of you on this list are aware, GNU recently discovered > that their ftp file server was owned for many months by a cracker. > Indeed, I was the one who did a bulk-check of the easy MD5 sums and posted it to the list :-) > libtool-1.5.tar.gz is one of those tarballs that has not yet been given a > clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/). > Nevertheless, it has been packaged for debian unstable. > Untrue. The Debian package is actually Libtool 1.5.0a and is taken from their CVS repository, which wasn't compromised. The _orig.tar.gz *is* the potentially compromised one from the FTP site, however any compromise would be reverted back to the uncompromised CVS version by the .diff.gz[0] That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU CVS tree for that release, and there's no differences... as well as obviously manually reading the 1.5 -> 1.5.0a diff before applying it. Unless cvs.gnu.org was also compromised by someone insane enough to rewrite RCS files by hand to hide the modification, libtool in unstable is safe :-) Scott [0] which also accidentally contains some .svn trees, oops! :) -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist? signature.asc Description: This is a digitally signed message part
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote: > Thus, wouldn't it be the right thing to do to withdraw the Debian unstable > libtool-1.5 package until GNU has a chance to check the tarball? (And of > course after the checked version is available, the tarball used to create > the current package should be checked against it to make sure nothing > malicious got propagated while the libtool-1.5 package was available). Would it not be the right thing to simply run diff between the source in testing (assuming that predates the crack) and the one in unstable and look for suspicious code? It doesn't take somebody operating in an official GNU capacity to confirm that there's no malicious code there. noah pgpwhJqV4WpGy.pgp Description: PGP signature
The possibility of malicious code in the Debian unstable libtool-1.5 package
As I am sure most of you on this list are aware, GNU recently discovered that their ftp file server was owned for many months by a cracker. They rightly withdrew all their many source tarballs to check for malicious code. The old tarballs were quickly reinstated (presumably because they had backups from prior to when the cracker owned them) and also found to be free of malicious code. There are still some 500 of these newer tarballs for GNU to check and apparently they are doing it at a rate of 10-15 per day. libtool-1.5.tar.gz is one of those tarballs that has not yet been given a clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/). Nevertheless, it has been packaged for debian unstable. There is some room for optimism that the tarball used to create that package does not have malicious code in it (since the older tarballs that have been checked do seem to be clean), but the cracker did have full control when that tarball was created and for many months afterward, and the downside (many Debian packages compromised that are built with libtool-1.5) could be severe indeed. Thus, wouldn't it be the right thing to do to withdraw the Debian unstable libtool-1.5 package until GNU has a chance to check the tarball? (And of course after the checked version is available, the tarball used to create the current package should be checked against it to make sure nothing malicious got propagated while the libtool-1.5 package was available). Note, I run debian stable myself, and I only happened to notice this possible libtool-1.5 security problem for Debian unstable by chance. Since there doesn't seem to be any discussion of this issue on this list (and no libtool bug reports about this issue) I thought I had better bring it up for discussion. Alan W. Irwin __ Alan W. Irwin email: [EMAIL PROTECTED] phone: 250-727-2902 Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the PLplot scientific plotting software package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project (lbproject.sf.net). __ Linux-powered Science __
