-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have thought long and hard how to help the Gentoo project
to cease exposing its users' systems to the Internet with a
remotely exploitable Portage vulnerability, and I have
reached a conclusion.
I will publish step-by-step instructions which explain in
great detail how to ...
(1) set up a fake sync mirror,
(2) set up a transparent proxy for rsyncd connections that
are routed through your machine,
(3) configure your BIND daemon to pretend it had
authoritative information for the gentoo.org zone that
refers to your mirror rather than the real one, and
(4) what to patch in /usr/portage/eclass/eutils.eclass to
install appropriate exploit code on the user's machine
once emerge is used for the next time.
Furthermore, I'll kindly refer to the entries in
bugs.gentoo.org that show this vulnerability has been known
and ignored for over 15 months.
At 2004-11-11 00:00:00 CET this article hits a rather
popular public full-disclosure mailing list.
Since most of you seem to be believe that the bug is really
not that serious, I am certain this will worry you not in
the least.
Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iQEVAwUBQY9yrUG8KP6ZCJ1yAQJZpwgAlBqRU/ooaH61XJ/88qxWqzsdlx8s2zwQ
ZRzVDFUuO09zmG7Zz5M5bu6sMd+aU/pBlAVHqP83G+RivD4gFVOKOn2F29RVdEqD
p4qbD5D/NbVi0jpGw6RpWU7i90jwmqehlYvKJHVLWiI0A/cGEGkTVjnQ9nrFGqb/
GBgHrkFxDJMINoYKXtm/r7LbJuUaTJRMGhVLlhYw14qjpNMCakAHYidhimdcCvW2
PmHUIyLLRXZiGJCDTp9YSEuVSS/7HjisO/B6OLERgUa9CPyeCgZBhMl/vLHMbR45
hQH5Do1oxEI4o9u3KN1x9+vDJRbaAXwV14kBFAewJTrnp3Es/EtJ5Q==
=Vg4Q
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Hash: SHA1
I have thought long and hard how to help the Gentoo project
to cease exposing its users' systems to the Internet with a
remotely exploitable Portage vulnerability, and I have
reached a conclusion.
I will publish step-by-step instructions which explain in
great detail how to ...
(1) set up a fake sync mirror,
(2) set up a transparent proxy for rsyncd connections that
are routed through your machine,
(3) configure your BIND daemon to pretend it had
authoritative information for the gentoo.org zone that
refers to your mirror rather than the real one, and
(4) what to patch in /usr/portage/eclass/eutils.eclass to
install appropriate exploit code on the user's machine
once emerge is used for the next time.
Furthermore, I'll kindly refer to the entries in
bugs.gentoo.org that show this vulnerability has been known
and ignored for over 15 months.
At 2004-11-11 00:00:00 CET this article hits a rather
popular public full-disclosure mailing list.
Since most of you seem to be believe that the bug is really
not that serious, I am certain this will worry you not in
the least.
Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iQEVAwUBQY9yrUG8KP6ZCJ1yAQJZpwgAlBqRU/ooaH61XJ/88qxWqzsdlx8s2zwQ
ZRzVDFUuO09zmG7Zz5M5bu6sMd+aU/pBlAVHqP83G+RivD4gFVOKOn2F29RVdEqD
p4qbD5D/NbVi0jpGw6RpWU7i90jwmqehlYvKJHVLWiI0A/cGEGkTVjnQ9nrFGqb/
GBgHrkFxDJMINoYKXtm/r7LbJuUaTJRMGhVLlhYw14qjpNMCakAHYidhimdcCvW2
PmHUIyLLRXZiGJCDTp9YSEuVSS/7HjisO/B6OLERgUa9CPyeCgZBhMl/vLHMbR45
hQH5Do1oxEI4o9u3KN1x9+vDJRbaAXwV14kBFAewJTrnp3Es/EtJ5Q==
=Vg4Q
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list