The possibility of malicious code in the Debian unstable libtool-1.5 package

To: debian-security@lists.debian.org
Cc: scott@netsplit.com
Subject: The possibility of malicious code in the Debian unstable libtool-1.5 package
From: "Alan W. Irwin" <irwin@beluga.phys.uvic.ca>
Date: Tue, 26 Aug 2003 08:23:44 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.4.44.0308260740160.13508-100000@starling.mylan.home>

As I am sure most of you on this list are aware, GNU recently discovered
that their ftp file server was owned for many months by a cracker.  They
rightly withdrew all their many source tarballs to check for malicious code.
The old tarballs were quickly reinstated (presumably because they had
backups from prior to when the cracker owned them) and also found to be free
of malicious code.  There are still some 500 of these newer tarballs for GNU
to check and apparently they are doing it at a rate of 10-15 per day.

libtool-1.5.tar.gz is one of those tarballs that has not yet been given a
clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/).
Nevertheless, it has been packaged for debian unstable.  There is some room
for optimism that the tarball used to create that package does not have
malicious code in it (since the older tarballs that have been checked do
seem to be clean), but the cracker did have full control when that tarball
was created and for many months afterward, and the downside (many Debian
packages compromised that are built with libtool-1.5) could be severe indeed.

Thus, wouldn't it be the right thing to do to withdraw the Debian unstable
libtool-1.5 package until GNU has a chance to check the tarball? (And of
course after the checked version is available, the tarball used to create
the current package should be checked against it to make sure nothing
malicious got propagated while the libtool-1.5 package was available).

Note, I run debian stable myself, and I only happened to notice this
possible libtool-1.5 security problem for Debian unstable by chance.  Since
there doesn't seem to be any discussion of this issue on this list (and no
libtool bug reports about this issue) I thought I had better bring it up
for discussion.

Alan W. Irwin
__________________________
Alan W. Irwin
email: irwin@beluga.phys.uvic.ca
phone: 250-727-2902

Astronomical research affiliation with Department of Physics and Astronomy,
University of Victoria (astrowww.phys.uvic.ca).

Programming affiliations with the PLplot scientific plotting software
package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the
Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project
(lbproject.sf.net).
__________________________

Linux-powered Science
__________________________

Reply to:

Follow-Ups:
- Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
  - From: "Noah L. Meyerhans" <noahm@debian.org>
- Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
  - From: Scott James Remnant <scott@netsplit.com>

Prev by Date: [no subject]
Next by Date: Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
Previous by thread: [no subject]
Next by thread: Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
Index(es):
- Date
- Thread