[ale] ! Openssh package trojaned...
John Wells
jb at sourceillustrated.com
Thu Aug 1 11:32:45 EDT 2002
This brings to mind a question I've had for awhile now.
Many sites provide md5 files in addition to a tarball so you can run
md5sum on the tarball and compare the hash. What prevents some hax0r from
posting a fake md5 file when they compromise a tarball, so the sums will
match?
>From what little I know about FreeBSD, it seems that ports allowed this
bogus package to be spotted. I assume this would not be the case on
linux. So what good is an md5 file anyway? I'm probably missing
something here...
Thanks,
John
Jonathan Rickman said:
> On 1 Aug 2002, cfowler wrote:
>
>> Do we need to do anything to our current installs of this ver?
>
> Follow-up to my earlier post.
>
> MD5 checksum of trojaned package - 3ac9bc346d736b4a51d676faa2a08a57
>
> MD5 checksum on the package I used to build mine
>
> jonathan at abacus:~$ md5sum tmp/openssh-3.4p1.tar.gz
>
> 459c1d0262e939d6432f193c7a4ba8a8 tmp/openssh-3.4p1.tar.gz
>
> jonathan at abacus:~$
>
> If you want more piece of mind, extract the tarball and check
> ./openssh-3.4p1/openbsd-compat/Makefile.in for this:
>
> all: libopenbsd-compat.a
> + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
> ./bf-test.out &
>
> If it's there, and you have a different MD5 checksum than the one posted
> above...please let the rest of us know.
>
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
>
>
>
>
>
> ---
> This message has been sent through the ALE general discussion list. See
> http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list