[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The possibility of malicious code in the Debian unstable libtool-1.5 package

On Tue, 2003-08-26 at 16:23, Alan W. Irwin wrote:

> As I am sure most of you on this list are aware, GNU recently discovered
> that their ftp file server was owned for many months by a cracker.
Indeed, I was the one who did a bulk-check of the easy MD5 sums and
posted it to the list :-)

> libtool-1.5.tar.gz is one of those tarballs that has not yet been given a
> clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/).
> Nevertheless, it has been packaged for debian unstable. 

The Debian package is actually Libtool 1.5.0a and is taken from their
CVS repository, which wasn't compromised.

The _orig.tar.gz *is* the potentially compromised one from the FTP site,
however any compromise would be reverted back to the uncompromised CVS
version by the .diff.gz[0]

That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU
CVS tree for that release, and there's no differences...  as well as
obviously manually reading the 1.5 -> 1.5.0a diff before applying it.

Unless cvs.gnu.org was also compromised by someone insane enough to
rewrite RCS files by hand to hide the modification, libtool in unstable
is safe :-)


[0] which also accidentally contains some .svn trees, oops! :)
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: