Re: The possibility of malicious code in the Debian unstable libtool-1.5 package

To: debian-security@lists.debian.org
Subject: Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
From: "Noah L. Meyerhans" <noahm@debian.org>
Date: Tue, 26 Aug 2003 11:54:09 -0400
Message-id: <[🔎] 20030826155409.GW1904@morgul.net>
Mail-followup-to: "Noah L. Meyerhans" <noahm@debian.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.44.0308260740160.13508-100000@starling.mylan.home>
References: <[🔎] Pine.LNX.4.44.0308260740160.13508-100000@starling.mylan.home>

On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote:
> Thus, wouldn't it be the right thing to do to withdraw the Debian unstable
> libtool-1.5 package until GNU has a chance to check the tarball? (And of
> course after the checked version is available, the tarball used to create
> the current package should be checked against it to make sure nothing
> malicious got propagated while the libtool-1.5 package was available).

Would it not be the right thing to simply run diff between the source in
testing (assuming that predates the crack) and the one in unstable and
look for suspicious code?  It doesn't take somebody operating in an
official GNU capacity to confirm that there's no malicious code there.

noah

Attachment: pgpIbS4Xs9Fb6.pgp
Description: PGP signature

Reply to:

References:
- The possibility of malicious code in the Debian unstable libtool-1.5 package
  - From: "Alan W. Irwin" <irwin@beluga.phys.uvic.ca>

Prev by Date: The possibility of malicious code in the Debian unstable libtool-1.5 package
Next by Date: Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
Previous by thread: The possibility of malicious code in the Debian unstable libtool-1.5 package
Next by thread: Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
Index(es):
- Date
- Thread