Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On 26 Aug 2003, Scott James Remnant wrote:
> The Debian package is actually Libtool 1.5.0a and is taken from their
> CVS repository, which wasn't compromised.
> The _orig.tar.gz *is* the potentially compromised one from the FTP site,
> however any compromise would be reverted back to the uncompromised CVS
> version by the .diff.gz
> That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU
> CVS tree for that release, and there's no differences... as well as
> obviously manually reading the 1.5 -> 1.5.0a diff before applying it.
> Unless cvs.gnu.org was also compromised by someone insane enough to
> rewrite RCS files by hand to hide the modification, libtool in unstable
> is safe :-)
I agree it takes extreme care to leave no tracks behind so it is fairly
improbable that the cvs server was compromised. And even if an undetected
crack occurred of that server, I agree it would take some effort to rewrite
RCS files (although temporarily putting in a maliciously modified cvs server
could do it). Thus, I agree with your judgement that restoring from cvs is
safe to a fairly large degree. However, GNU have apparently decided not to
restore from cvs since otherwise they should be able to proceed at a much
faster rate than 10-15 restorations per day. Shouldn't debian follow their
lead and be ultra-cautious also (especially with libtool since the downside
is so severe if that app is compromised)?
Alan W. Irwin
Astronomical research affiliation with Department of Physics and Astronomy,
University of Victoria (astrowww.phys.uvic.ca).
Programming affiliations with the PLplot scientific plotting software
package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the
Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project