OpenBSD Journal

y Ports and Backdoors

Contributed by jose on from the md5-sha1-rmd160 dept.

Lately several popular pieces of software have been backdoored after their main server has been compromised. the latest is ircii-pana-1.0c19 , but the list has included irssi and dsniff .

As discussed in the Ports FAQ , one of the things the ports tree does is use cryptographic checksums to ensure that the right distfile has been fetched and its not corrupted, either by accident or by someone's malicious actions. This backdooring has been going on frequently in the past month or two and in each case the ports tree checksum mechanism has caught it. So, dont disregard these errors and don't run make NO_CHECKSUM=yes , which simply ignores this mismatch. Instead, you should run make checksum REFETCH=true which will fetch the distfile, known to be trusted, from the OpenBSD FTP mirrors. Use the built in integrity checking mechanisms when dealing with untrusted sources of software!

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    Does that trojan affect older versions of BX as well, such as bitchx-1.0c17p1 or strictly just bitchx-1.0c19.tar.gz?

    Thx ppl!

  2. By Skinny Puppy () on http://www.shitbomb.com

    Using make checksum REFETCH=true could lead to the same problems, you are trusting whatever server is currently listed in DNS as ftp.openbsd.org.

    The best way I could think of doing this correctly is with a public key that is used to sign all src/ports/snapshops/whatever. But then again that would be a major in the ass for developers

  3. By Anonymous Coward () on

    GOBBLES? *cough*

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]