FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

Thorsten Leemhuis fedora at leemhuis.info
Thu Jun 1 15:43:11 UTC 2006 

Am Donnerstag, den 01.06.2006, 11:36 -0400 schrieb seth vidal:
> On Thu, 2006-06-01 at 17:30 +0200, Thorsten Leemhuis wrote:
> > Am Donnerstag, den 01.06.2006, 11:09 -0400 schrieb seth vidal:
> > > On Thu, 2006-06-01 at 17:00 +0200, Thorsten Leemhuis wrote:
> > > > The biggest problem probably is: There are plans to switch away from CVS
> > > > to something else after FC6 (no, that's all I know). So investing to
> > > > much time in the current system probably is not worth the trouble.
> > > > 
> > > > I would sleep already a lot better if at least the issue with "hit CTRL
> > > > +C at the right moment and no commit mail with the changes will be send"
> > > > would be fixed. But I don't know CVS enough and would be really glad if
> > > > someone could look into that. 
> > > > 
> > > > I would even sleep really good if there would be a mechanism that checks
> > > > md5sum's against upstream packages. But that's quite complicated to
> > > > implement and might be to much overhead.
> > > > 
> > > Actually, is it all that complicated?
> > > 
> > > for each package in cvs:
> > >  1. download the spec file
> > >  2. download the tarball that's been uploaded
> > >  3. download link in Source0 or Source
> > >  4. compare checksum to tarball's checksum
> > >  5. keep track of url to Source0 or Source and emit a notice whenever it
> > > changes
> > > wouldn't that really be all there is to it?.
> > Who says that the link to Source0 or Source is correct and not faked,
> > too? We would have to manage a whitelist for the script.

> Which is why it emits a notice about changes to that value.

Well, yeah, a external script that looks out for changes in that value
and checks the checksum could do the trick for 99% of the packages -- 1%
are still problematic because we have some modified tarballs where for
example mp3 support was removed (but that another problem and shouldn't
happen that often).

CU
thl
-- 
Thorsten Leemhuis <fedora at leemhuis.info>

More information about the fedora-extras-list mailing list