You are not logged in.
Pages: 1
Hello all, just stumbled upon http://tinyurl.com/28ktynh and wondered if the Unrealircd package in Community repo is compromised?
Offline
ATM, does not look like it. Older versions, yes, quite likely.
Last edited by fsckd (2010-06-14 16:43:38)
aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies
Offline
ATM, does not look like it. Older versions, yes, quite likely.
But doesn't it mean that at some point the package contained malware which of course was replaced with untainted packages since then..
Offline
Yes, that's pretty much what I said. If you look at the original forum article, it gives two md5sums:
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66
Then, look in the PKGBUILD for the current version and you'll see the good md5sum. Look in the PKGBUILD for the previous version and you'll see the bad md5sum. It is probably advised to upgrade ASAP.
aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies
Offline
Yes, that's pretty much what I said. If you look at the original forum article, it gives two md5sums:
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66Then, look in the PKGBUILD for the current version and you'll see the good md5sum. Look in the PKGBUILD for the previous version and you'll see the bad md5sum. It is probably advised to upgrade ASAP.
Interesting. Thanks.
Offline
Has one of you guys reported this to the powers that be?
Offline
a thread just went by on arch-general (and aur-general) MLs.
edit:
the unrealircd version in community (3.2.8.1-2) has been flagged as
containing a backdoor which allows an attacker to execute commands with
the privileges of the user running the daemon.The md5sum in the PKGBUILD (abs) matches the known-bad md5sum from this
announcement:
http://sourceforge.net/mailarchive/mess … lnscan.orgI've already filed a bug as FS#19780 to the community project, but
given the severity I thought it would be wise to alert a wider audience....
On a side-note, Sergej already has published a new pkgrel this afternoon
(2010-06-12 16:40:54 UTC). So the bug is/was already obsolete before I
wrote it. (I should remember to check the website before trusting
supposedly up to date mirrors I guess.) What do we actually need a
-security list for, when maintainers fix vulnerabilities before the are
filed? ;-)
Last edited by brisbin33 (2010-06-14 18:01:45)
//github/
Offline
Has one of you guys reported this to the powers that be?
Sorry I don't know how to do that. I noted that Sergej Pupykin is the package maintainer, but I failed to send a PM or make a bug report.
Offline
Pages: 1