OpenSSH Trojan

Bryan Breen Bryan.C.Breen.1 at gsfc.nasa.gov
Thu Aug 1 19:48:07 PDT 2002


There's something to be said for waiting to see the bugs hammered out of a
program before using it, however...

This OpenSSH Trojan is a different case than there being a bug in the
source code. What happened here was a specific mirror site (a rather
heavily used one) was tainted when their tar-ball of the source code was
changed (when the Trojan was inserted).

There's nothing wrong with the 3.4p1 code, as long as you have an
uninfected source tree/tar-ball.

I keep all my source files (in their original tar'd and gzip/bzip2 format)
just for ease of rebuilding (I'm too damn impatient to wait for a download
even over my cable connection!). I checked my OpenSSH-3.4p1.tar.gz md5sum
and it verified that the copy that I had from June 26th was clean.

So in *this* case, it was actually better that I had gotten the code early
on, instead of waiting.

Perhaps the real lesson is to double check those md5sum or validate them
against a signing key. And in particular, use values that are not coming
from the same server that you are obtaining the source from (and hopefully
not a server that is just an identical mirror).

- B




At 00:32 8/2/02 +0200, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>> I think the REAL lesson to be learned here is that you should always
>> wait a good week or two before installing updates. That way somebody
>> else finds the problems, and you don't have to worry about them.
>> Mwuahahahhahahah! ;)
>
>Remember, when openssh-3.4p1 was released? I think it is *some more* than
a week ago. ;-)
>- -- 
>- ----------------------------------------------------------------------
>%> ln -s /dev/null /dev/brain
>%> ln -s /dev/urandom /dev/world
>%> dd if=/dev/world of=/dev/brain
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQE9SbcK9NbB8EM160MRAmBSAJ9ZgOFKDPFtIRZZWZds0D9k2d/CBwCgqs9x
>0TYi/JCw3rjrNIO89DkZh7o=
>=R+T+
>-----END PGP SIGNATURE-----
>
>-- 
>Unsubscribe: send email to listar at linuxfromscratch.org
>and put 'unsubscribe lfs-security' in the subject header of the message
>
>
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list