[conspire] conspire Digest, Vol 97, Issue 13

Rick Moen rick at linuxmafia.com
Sat Jul 16 15:37:53 PDT 2011


Quoting jose tav (j_tav at yahoo.com):

> Hi Rick, yep I hear you, I will look into it, as you know vsftpd is
> now hosted on Google App Engine, because of same security issues with
> the package.

The security issues were not with the package.

Let me exerpt from http://linuxmafia.com/~rick/faq/index.php?page=virus,
where I summarise the trojaning incident:

  On June 30, 2011, release versions of vsftpd version 2.3.4 on
  vsftpd.beasts.org was (somehow -- not yet clear) replaced 
  (http://lwn.net/Articles/450181/) by a trojaned version containing 
  a remote-login backdoor. As before, the substitution was caught 
  by a user noticing the tarball's md5 and sha1 checksums no
  longer validate against the developer's signature, after the trojaned
  version had been available for 3 days. (The developer immediately moved
  to new hosting, so we may never learn how the trojaning occurred.)

When I say 'as before', I mean that this incident was nearly identical
to the prior trojaning of a sendmail 8.12.6 source tarball on
ftp.sendmail.org for eight days in 2002, the trojaning of OpenSSH
3.2.2p1, 3.4p1, and 3.4 source tarballs for a day that same year, 
the trojaning of a tcp_wrappers_7.6.tar.gz source tarball on
ftp.openbsd.org for a few hours in 1999, and the trojaning of a
util-linux 2.9g source tarball for a few hours the next day.  In each
case, the upstream development ftp server had been site-compromised 
in some fashion and intruders had substituted fake source tarballs for
the real ones.  In each case, the faked tarballs were either
unexpectedly unsigned or their PGP signatures failed to validate; thus 
the scam was caught by downloaders who check developer signing of code.

None of those cases fooled distro package maintainers, who _do_ check
code signatures.  Therefore, the fakes didn't make it to any Linux (or
other) distributions.

That, by the way, is among the many reasons why I advise people to
favour distro packages absent an extremely compelling reason, and avoid
going 'upstream'.





More information about the conspire mailing list