[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ftp.gnu.org cracked

[ Moved to debian-devel, I don't think this is relevant to private as
  the GNU crack is well publicised ]

On Mon, 2003-08-18 at 14:58, Matt Zimmerman wrote:

> On Mon, Aug 18, 2003 at 12:35:44PM +1000, Russell Coker wrote:
> 
> > On Mon, 18 Aug 2003 12:51, Robert Millan wrote:
> > > What do you suggest to do? First, can this dicussion be disclosed? (e.g:
> > > into debian-security). Then how can we deal with these two problems? Would
> > > an alert message to -devel-announce suffice?
> > 
> > The hack of the GNU server is no secret, and neither is our reliance on GNU 
> > software.  I think that anyone who knows anything about Debian can work out 
> > the issues for themselves.  Therefore trying to keep this secret gains us 
> > nothing and only gives a risk of more concern.  I suggest publicising 
> > everything.
> 
> If we're going to make a statement about it, we should have some facts to
> release.  For example, if someone would like to verify the validity of the
> GNU source tarballs that we ship against the checksums published by GNU,
> that would be great.
> 
No problem, this is only a quick run -- others may find ways to improve
this script somewhat.

153 files were compared (out of 1624 available checksums), reasons for
missing comparisons probably include changes in source package name
compared to GNU tar name, or simply differing versions.

113 checked out OK.  This means that the .orig.tar.gz in Debian has the
same checksum as the equivalent GNU tar, and that the GNU checksum is
considered valid by GNU.

40 did not check out.  This doesn't mean we've got cracked versions, it
just means that our .orig.tar.gz isn't identical to the GNU .tar.gz.

Also note that I just checked what versions could be found in the pool,
not necessarily the latest unstable version.  Many of the latest
versions are missing a GNU-valid md5sum anyway.

The script I used is attached, it takes the before-2003-08-01.md5sums
file from the GNU ftp site (run through gpg to remove signature) as
either stdin or a command-line argument.

Here's the (sorted) results.

   adns: adns_1.0.orig.tar.gz OK.
   anubis: anubis_3.6.2.orig.tar.gz OK.
   aspell: aspell_0.50.3.orig.tar.gz OK.
   autoconf: autoconf_2.13.orig.tar.gz OK.
   autoconf: autoconf_2.53.orig.tar.gz OK.
   autoconf: autoconf_2.57.orig.tar.gz OK.
   autogen: autogen_5.3.5.orig.tar.gz OK.
   barcode: barcode_0.98.orig.tar.gz OK.
   bc: bc_1.06.orig.tar.gz OK.
   bison: bison_1.28.orig.tar.gz OK.
   bison: bison_1.35.orig.tar.gz OK.
!! cfengine: cfengine_1.5.3.orig.tar.gz NOT OK (2603cf1cd3225b06e5df725c866dc987 != b25c09e5d9ee55722771a3732c0b10ff)
!! cfengine: cfengine_1.6.4.orig.tar.gz NOT OK (f1b94557fe01869eee9764e613efa0ee != 5bc50dbeb87e6edbd68526cfacff6fb3)
!! clisp: clisp_2.28.orig.tar.gz NOT OK (d5f8acf2de0db2f5f53e7747d0d84503 != 7d245c446dd5cdeb263b5648bfb4fb76)
   clisp: clisp_2.27.orig.tar.gz OK.
   clisp: clisp_2.30.orig.tar.gz OK.
!! coreutils: coreutils_5.0.orig.tar.gz NOT OK (d16b769d380a0492a4c5ee61d2619985 != a0ef2d8abd223aca757228590ded9e63)
!! cpio: cpio_2.4.2.orig.tar.gz NOT OK (e651ca1e1ac53aaebfa7ad256b0fe4fc != 3e976db71229d52a8a135540698052df)
!! cpio: cpio_2.4.2.orig.tar.gz NOT OK (e651ca1e1ac53aaebfa7ad256b0fe4fc != 3e976db71229d52a8a135540698052df)
   cpio: cpio_2.5.orig.tar.gz OK.
   ddd: ddd_3.3.1.orig.tar.gz OK.
!! dejagnu: dejagnu_1.4.2.orig.tar.gz NOT OK (f8d9f36ea74fd56ad4a68d5cc2a14bba != a697e39c767a47aca9166fcd7420e4b8)
   dejagnu: dejagnu_1.4.3.orig.tar.gz OK.
   diction: diction_1.02.orig.tar.gz OK.
!! doschk: doschk_1.1.orig.tar.gz NOT OK (38b9613f471667573956f0e02b9ff091 != 112565f30ef98595b363afb70cb6a835)
!! doschk: doschk_1.1.orig.tar.gz NOT OK (38b9613f471667573956f0e02b9ff091 != 112565f30ef98595b363afb70cb6a835)
   ed: ed_0.2.orig.tar.gz OK.
   ed: ed_0.2.orig.tar.gz OK.
   electric: electric_6.05.orig.tar.gz OK.
   elib: elib_1.0.orig.tar.gz OK.
   emacs-lisp-intro: emacs-lisp-intro_2.04.orig.tar.gz OK.
   fileutils: fileutils_4.1.orig.tar.gz OK.
   gawk: gawk_3.1.0.orig.tar.gz OK.
   gawk: gawk_3.1.1.orig.tar.gz OK.
   gawk: gawk_3.1.3.orig.tar.gz OK.
!! gcal: gcal_2.40.orig.tar.gz NOT OK (0a17026a3950847bb42206cfa03c1c98 != 6b6058fa80c2e95392ef1ca561e4800f)
!! gcc: gcc_2.95.2.orig.tar.gz NOT OK (0e36957d734286e242e9697fd2806c4f != 110f1e5b3adfefc9d7be071e91c54f6a)
   gdb: gdb_5.3.orig.tar.gz OK.
   gdbm: gdbm_1.7.3.orig.tar.gz OK.
   gdbm: gdbm_1.8.3.orig.tar.gz OK.
   gengetopt: gengetopt_2.10.orig.tar.gz OK.
   gengetopt: gengetopt_2.6.orig.tar.gz OK.
   gengetopt: gengetopt_2.9.orig.tar.gz OK.
   gettext: gettext_0.10.35.orig.tar.gz OK.
   gettext: gettext_0.10.40.orig.tar.gz OK.
   gettext: gettext_0.11.5.orig.tar.gz OK.
   gettext: gettext_0.11.orig.tar.gz OK.
   gettext: gettext_0.12.1.orig.tar.gz OK.
   gfax: gfax_0.4.2.orig.tar.gz OK.
!! gforth: gforth_0.5.0.orig.tar.gz NOT OK (db16b64e9d63934bc4455e9b2aebbe13 != 8aade0bf98bfc57d084beb3af3875c36)
   gforth: gforth_0.6.1.orig.tar.gz OK.
!! ggradebook: ggradebook_0.91.orig.tar.gz NOT OK (bd973100fd811ed0a16cf677719988bc != 09415fe8979b2a197bd6e3e658227f36)
!! ghostview: ghostview_1.5.orig.tar.gz NOT OK (4f5c1bced73fe14b03109cfa7aacfd90 != 0eeff3efbc0d0d0926037b1097087a3b)
   git: git_4.3.20.orig.tar.gz OK.
!! glibc: glibc_2.1.3.orig.tar.gz NOT OK (886afcbcfb2883c09c3cbfe0b2cb1f22 != aea1bb5c28f793013153d1b8f91eb746)
!! glibc: glibc_2.2.5.orig.tar.gz NOT OK (e4c3eb8343b5df346ceaaec23459f1dc != bf5653fdff22ee350bd7d48047cffab9)
!! glibc: glibc_2.3.1.orig.tar.gz NOT OK (e8e7ffcb86f921c5b597008bf6f891bd != 61944a5735e71601c82287142bb591db)
!! glibc: glibc_2.3.2.orig.tar.gz NOT OK (2d72df1e1dd599dbdf3835b7c2951860 != 1f1e1e3a343d9b748b62c365c1701d7c)
!! global: global_4.1.1.orig.tar.gz NOT OK (fde135b399f043740ca3f4b092c13bc7 != eee76a32c58a20941409db72f41fcd44)
!! global: global_4.5.orig.tar.gz NOT OK (cd729b2798c8b2905a8c7b4913ba1ec5 != 1b9cd26678335b1e6288fc9d65903d14)
   glpk: glpk_3.0.6.orig.tar.gz OK.
   glpk: glpk_4.0.orig.tar.gz OK.
   gmp: gmp_4.1.2.orig.tar.gz OK.
   gnucap: gnucap_0.30.orig.tar.gz OK.
   gnuchess: gnuchess_5.04.orig.tar.gz OK.
   gnuchess: gnuchess_5.06.orig.tar.gz OK.
   gnugo: gnugo_3.2.orig.tar.gz OK.
   gnushogi: gnushogi_1.3.orig.tar.gz OK.
   gperf: gperf_2.7.2.orig.tar.gz OK.
   gperf: gperf_3.0.1.orig.tar.gz OK.
   gperf: gperf_3.0.orig.tar.gz OK.
   greg: greg_1.4.orig.tar.gz OK.
   grep: grep_2.4.2.orig.tar.gz OK.
   groff: groff_1.17.2.orig.tar.gz OK.
   gsl: gsl_1.1.1.orig.tar.gz OK.
   gsl: gsl_1.2.orig.tar.gz OK.
   gsl: gsl_1.3.orig.tar.gz OK.
   gtkeyboard: gtkeyboard_1.1.7.orig.tar.gz OK.
   gtypist: gtypist_2.5.orig.tar.gz OK.
   gtypist: gtypist_2.6.orig.tar.gz OK.
   guile-www: guile-www_1.0.1.orig.tar.gz OK.
!! gzip: gzip_1.2.4.orig.tar.gz NOT OK (618b61219aa2d812893281bf6c66f158 != b94b3e07797e0cbf3622bb2fe5682f0b)
!! gzip: gzip_1.2.4.orig.tar.gz NOT OK (618b61219aa2d812893281bf6c66f158 != b94b3e07797e0cbf3622bb2fe5682f0b)
!! gzip: gzip_1.2.4.orig.tar.gz NOT OK (e6825c15e3465fb9fe457c83e42ca0e2 != b94b3e07797e0cbf3622bb2fe5682f0b)
!! hello: hello_1.3.orig.tar.gz NOT OK (eac5f06ee82b09808ddb3d72c795e765 != be75cfb3287cda4e91e45327428c8ca1)
!! hello: hello_1.3.orig.tar.gz NOT OK (eac5f06ee82b09808ddb3d72c795e765 != be75cfb3287cda4e91e45327428c8ca1)
   hello: hello_2.1.1.orig.tar.gz OK.
   help2man: help2man_1.27.orig.tar.gz OK.
   hp2xx: hp2xx_3.4.2.orig.tar.gz OK.
   hp2xx: hp2xx_3.4.4.orig.tar.gz OK.
   httptunnel: httptunnel_3.3.orig.tar.gz OK.
   indent: indent_2.2.7.orig.tar.gz OK.
   indent: indent_2.2.8.orig.tar.gz OK.
   indent: indent_2.2.9.orig.tar.gz OK.
!! intlfonts: intlfonts_1.2.orig.tar.gz NOT OK (1d1907a862b8d70d97523e75837c7aa2 != 678ab7afcfb12bb6f7530dbeed969593)
!! ispell: ispell_3.1.20.orig.tar.gz NOT OK (92986f940548fe4116428d21b16fd356 != 223d0b7333a3b41c5bbc9a39ef962302)
   less: less_381.orig.tar.gz OK.
   libsigsegv: libsigsegv_2.0.orig.tar.gz OK.
   libtool: libtool_1.4.2.orig.tar.gz OK.
   lilypond: lilypond_1.4.12.orig.tar.gz OK.
   m4: m4_1.4.orig.tar.gz OK.
   m4: m4_1.4.orig.tar.gz OK.
   mailman: mailman_1.1.orig.tar.gz OK.
   make: make_3.79.1.orig.tar.gz OK.
   make: make_3.80.orig.tar.gz OK.
!! mc: mc_4.5.55.orig.tar.gz NOT OK (bb670d48589f26f00b7fce8d25f66bd6 != 82772e729bb2ecfe486a6c219ebab09f)
   mdk: mdk_1.0.orig.tar.gz OK.
!! mig: mig_1.3.orig.tar.gz NOT OK (45c2b7456727d81dbd75f7152f8136fd != 64afefedc687c2b7fcdaf2b1db3486db)
   miscfiles: miscfiles_1.3.orig.tar.gz OK.
   nano: nano_1.0.6.orig.tar.gz OK.
   nano: nano_1.2.0.orig.tar.gz OK.
   ncurses: ncurses_5.0.orig.tar.gz OK.
!! oleo: oleo_1.6.orig.tar.gz NOT OK (03e525717cd65e152fc1ffa0f2808448 != c6e38639c6c89a3f54b545a7e585ee4b)
!! oleo: oleo_1.99.16.orig.tar.gz NOT OK (d59801055b8ba6c6980ed1247a603f5f != b270cd4d10f959438c14f4342b6be112)
   patch: patch_2.5.4.orig.tar.gz OK.
!! plotutils: plotutils_2.4.1.orig.tar.gz NOT OK (8da2cc2ed5a837cad0753c7843ef18ee != 47c1e589ef6f94a93145fb773507a54d)
   queue: queue_1.30.1.orig.tar.gz OK.
!! rcs: rcs_5.7.orig.tar.gz NOT OK (4c8e896f2d2446fa593c6f1601a4fb75 != 8fd09ea9654cda128f8d5c337d3b8de7)
!! rcs: rcs_5.7.orig.tar.gz NOT OK (4c8e896f2d2446fa593c6f1601a4fb75 != 8fd09ea9654cda128f8d5c337d3b8de7)
   recode: recode_3.5.orig.tar.gz OK.
   recode: recode_3.6.orig.tar.gz OK.
   regex: regex_0.12.orig.tar.gz OK.
   screen: screen_3.9.11.orig.tar.gz OK.
   screen: screen_3.9.15.orig.tar.gz OK.
   sed: sed_3.02.orig.tar.gz OK.
   sharutils: sharutils_4.2.1.orig.tar.gz OK.
   solfege: solfege_1.2.1.orig.tar.gz OK.
   solfege: solfege_1.4.6.orig.tar.gz OK.
   solfege: solfege_1.4.7.orig.tar.gz OK.
!! source-highlight: source-highlight_1.6.3.orig.tar.gz NOT OK (4d9f01fb4e167ac6c672d6e0d71e29df != b38468bb17e2f5cc76ae68ae4f43d00c)
   spacechart: spacechart_0.9.5.orig.tar.gz OK.
!! spell: spell_1.0.orig.tar.gz NOT OK (57e17cf64ca458baad606a9022794b6d != f6fd13e9da78770ca3b12aec696e18d5)
   stow: stow_1.3.3.orig.tar.gz OK.
   texinfo: texinfo_4.6.orig.tar.gz OK.
   textutils: textutils_2.0.orig.tar.gz OK.
   time: time_1.7.orig.tar.gz OK.
   time: time_1.7.orig.tar.gz OK.
!! trueprint: trueprint_5.1.orig.tar.gz NOT OK (00548575cd420d3d12843866354f2477 != 45e947155aa5d6c500561429d766d04a)
   trueprint: trueprint_5.3.orig.tar.gz OK.
   ucblogo: ucblogo_4.6.orig.tar.gz OK.
!! unrtf: unrtf_0.18.1.orig.tar.gz NOT OK (c7eb7eb30880c4fb8d089b8a486d255d != 08c58869e12d05e437567b5d3d5d0fd1)
   vera: vera_1.8.orig.tar.gz OK.
   wdiff: wdiff_0.5.orig.tar.gz OK.
   wdiff: wdiff_0.5.orig.tar.gz OK.
!! webbase: webbase_5.17.0.orig.tar.gz NOT OK (ccc7b24b1c6b325cfabd87dc91daee75 != 0a07fa3556a481f671747be3a823e10c)
   wget: wget_1.5.3.orig.tar.gz OK.
   wget: wget_1.8.1.orig.tar.gz OK.
   wget: wget_1.8.2.orig.tar.gz OK.
!! xaos: xaos_3.0.orig.tar.gz NOT OK (e0e66a873b6d5193a79bc89345992d6b != 5a63c3b696821e5d5d566ad9da308117)
   xboard: xboard_4.2.6.orig.tar.gz OK.
   xlogmaster: xlogmaster_1.6.0.orig.tar.gz OK.
   xpm2wico: xpm2wico_0.2.3.1.orig.tar.gz OK.
   zlib: zlib_1.1.3.orig.tar.gz OK.

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

#!/usr/bin/perl

use Digest::MD5;

while (<>) {
	($file_md5, $path, @stuff) = split /\s+/;

	$file = $path;
	$file =~ s:.*/::g;

	next unless $file =~ m/\.tar\.gz$/;
	$file =~ s/\.tar\.gz$//;
	$file =~ s/-([0-9.+]+)/_$1/;
	$file .= '.orig.tar.gz';

	$pkg = lc $file;
	$pkg =~ s/_[0-9.+]+\.orig\.tar.gz$//;
	$dir = $pkg;
	if ($pkg =~ /^lib[a-z]/) {
		$dir =~ s:^(lib[a-z0-9-]):$1/$1:;
	} else {
		$dir =~ s:^([a-z0-9-]):$1/$1:;
	}

	$ftp = "/org/ftp.debian.org/ftp/pool/main/$dir/$file";
	if (-f $ftp) {
		open FILE, $ftp;
		$ftp_md5 = Digest::MD5->new->addfile(*FILE)->hexdigest;
		close FILE;

		if ($ftp_md5 eq $file_md5) {
			print "   $pkg: $file OK.\n";
		} else {
			print "!! $pkg: $file NOT OK ($file_md5 != $ftp_md5)\n";
		}
	}
}

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: