y Ports and Backdoors

Contributed by jose on 2002-07-02 from the md5-sha1-rmd160 dept.

Lately several popular pieces of software have been backdoored after their main server has been compromised. the latest is ircii-pana-1.0c19 , but the list has included irssi and dsniff .

As discussed in the Ports FAQ , one of the things the ports tree does is use cryptographic checksums to ensure that the right distfile has been fetched and its not corrupted, either by accident or by someone's malicious actions. This backdooring has been going on frequently in the past month or two and in each case the ports tree checksum mechanism has caught it. So, dont disregard these errors and don't run make NO_CHECKSUM=yes , which simply ignores this mismatch. Instead, you should run make checksum REFETCH=true which will fetch the distfile, known to be trusted, from the OpenBSD FTP mirrors. Use the built in integrity checking mechanisms when dealing with untrusted sources of software!

(Comments are closed)

Comments

By Anonymous Coward () on 2002-07-03 00:01

Does that trojan affect older versions of BX as well, such as bitchx-1.0c17p1 or strictly just bitchx-1.0c19.tar.gz?

Thx ppl!
By Skinny Puppy () on 2002-07-03 00:58 http://www.shitbomb.com

Using make checksum REFETCH=true could lead to the same problems, you are trusting whatever server is currently listed in DNS as ftp.openbsd.org.
The best way I could think of doing this correctly is with a public key that is used to sign all src/ports/snapshops/whatever. But then again that would be a major in the ass for developers
By Anonymous Coward () on 2002-07-03 07:19

GOBBLES? *cough*

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]