cisco-vpnclient - PKGBUILD download link compromised?

palmaway · 2014-06-29 02:12:52

Hi all!

OK, this might just be me being paranoid, but I guess I'll signal this: the download link included in the cisco-vpnclient PKGBUILD is not official (the software is not publicly available) and the file does NOT validate against the official md5sum (visible at the cisco website: http://goo.gl/mVBAaL). Considering that this is a security related software, I would like to know why this is the case. IMHO, there is a non-negligible risk the download might be compromised (I'm not saying it is, but the risk exists). I posted a related comment on the package page.

Anyone has more info on this? I would be glad to find out this is not a security issue, but I guess users should be warned until we have a reasonable explanation.

Cheers!

Last edited by palmaway (2014-07-07 01:57:59)

stevenhoneyman · 2014-06-29 02:34:31

The AUR version has some kind of binary patch applied, and a readme explaining it.
I know if it was me, then I'd much rather use the legit one if I wasn't affected by this supposed AMD bug.
Well spotted!

$ diff -urb vpnclient-cisco vpnclient-aur
Only in vpnclient-aur: AMD-PATCH-README.txt
Binary files vpnclient-cisco/cisco_cert_mgr and vpnclient-aur/cisco_cert_mgr differ
Binary files vpnclient-cisco/cvpnd and vpnclient-aur/cvpnd differ
diff -urb vpnclient-cisco/interceptor.c vpnclient-aur/interceptor.c
--- vpnclient-cisco/interceptor.c	2008-06-23 17:59:12.000000000 +0100
+++ vpnclient-aur/interceptor.c	2009-05-20 14:16:34.000000000 +0100
@@ -502,7 +502,7 @@
 {
     int i;
     
-    for (i=0; i <= MAX_INTERFACES; i++)
+    for (i=0; i < MAX_INTERFACES; i++)
     {
         BINDING *b = &Bindings[i];
         if (b->pDevice && (dev->ifindex == b->pDevice->ifindex))
Binary files vpnclient-cisco/libvpnapi.so and vpnclient-aur/libvpnapi.so differ
Binary files vpnclient-cisco/vpnclient and vpnclient-aur/vpnclient differ

From the text file in the AUR one:

12 May 2009
This is an *UNOFFICIAL* patch for Cisco VPN Client on AMD Phenom
CPUs.
The original binaries misdetect the installed CPU, and with
AMD Phenom tried to use Intel-specific routines for MDA and SHA,
thus crashing the application itself.
Here you will find the same binaries patched to work with new AMD
CPUs, so if your Cisco VPN Client running on your AMD segfaults
try this patched binaries.
______
Usage |
-----------------------------------------------------
You can simply copy them in the right dirs by hand, or run
install.sh script, that will backup original binaries and then
copy the patched one.
There are three binaries (vpnclient, cvpnd, cisco_cert_mgr) and
one library (libvpnapi.so), usually installed in:
/opt/cisco-vpnclient/bin/ (binaries)
/opt/cisco-vpnclient/lib/ (library)
If you have not-standard install you must simply replace original
files with the supplied ones in this package.
The binaries are a modified version of the ones i found in:
vpnclient-linux-x86_64-4.8.01.0640-k9.tar.gz
The patched files worked for me, but you are ecnouraged to
consider this patch *UNOFFICIAL*, *UNSTABLE*, *UNTESTED*.
If they work for you, write me some feedback about:
- your client version;
- your kernel Version (uname -a);
- your CPU version (cat /proc/cpuinfo);
Have fun!
t3x@alkolizzati.org
This patched version has been downloaded from http://projects.tuxx-home.at/,
please check for updates there and if you experience any problems, visit
the support forum http://forum.tuxx-home.at/.

Last edited by stevenhoneyman (2014-06-29 02:36:39)

palmaway · 2014-06-29 02:58:36

I see! I guess that explains it... Thanks! However, I would still like to have the PKGBUILD advertise this in a more explicit manner...

stevenhoneyman · 2014-06-29 03:00:58

Me too, but only a TU can get this changed - you'd need to post to the AUR General mailing list.

Should probably be named "cisco-vpnclient-amdphenom" or something IMO

t0nedef · 2014-07-01 23:06:17

Hey palmaway & stevenhoneyman,
I'm the maintainer of that package. Although I took it over long after this decision was made, I'm happy to try to rectify the situation. I have two concerns:
1) I'm not sure there aren't other patches applied to that package. I'd be happy to try the original source and verify its functionality.
2) I don't have a download link to the original cisco package (apparently you need to be cisco partner) - do any of you?

stevenhoneyman · 2014-07-03 16:30:36

t0nedef wrote:

Hey palmaway & stevenhoneyman,
I'm the maintainer of that package. Although I took it over long after this decision was made, I'm happy to try to rectify the situation. I have two concerns:
1) I'm not sure there aren't other patches applied to that package. I'd be happy to try the original source and verify its functionality.
2) I don't have a download link to the original cisco package (apparently you need to be cisco partner) - do any of you?

Just to note: I have no means of testing this or using this software... I was just posting to answer the OP's question

Here you go though (from a google search, but the hash matches the Cisco website):

http://ftp.uma.es/ClientesVPN/vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz

de869c26dbc3b8851759907855dee48c  vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz

P.S. I'd suggest *not* using that URL above in your PKGBUILD... or they will likely just take it down.

Last edited by stevenhoneyman (2014-07-03 16:31:43)

palmaway · 2014-07-07 02:01:18

Hi t0nedef, thanks for replying!

I'm not sure the vpnclient is freely redistributable. In the end, Cisco doesn't allow public download from their own website (I fixed the link in my first post, btw). Like for many other commercial software packages, in the PKGBUILD the filename and the hash should be enough, no need for a link! In any case the file is widely available, so it should be easy enough to find for testing the package: the link posted above is one of many that can be found just using google with the filename.

Last edited by palmaway (2014-07-07 02:03:15)

Arch Linux

#1 2014-06-29 02:12:52

cisco-vpnclient - PKGBUILD download link compromised?

#2 2014-06-29 02:34:31

Re: cisco-vpnclient - PKGBUILD download link compromised?

#3 2014-06-29 02:58:36

Re: cisco-vpnclient - PKGBUILD download link compromised?

#4 2014-06-29 03:00:58

Re: cisco-vpnclient - PKGBUILD download link compromised?

#5 2014-07-01 23:06:17

Re: cisco-vpnclient - PKGBUILD download link compromised?

#6 2014-07-03 16:30:36

Re: cisco-vpnclient - PKGBUILD download link compromised?

#7 2014-07-07 02:01:18

Re: cisco-vpnclient - PKGBUILD download link compromised?

Board footer