Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430045
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by lemur2
by Elv13 on Tue 15th Jun 2010 03:07 UTC in reply to "Comment by lemur2"
Elv13
Member since:
2006-06-12

Distributor don't read the source code every time they package a software. Most of them just update the content of the "src" folder with the new code and and edit the debian/changelog file. It does not prevent infected software from going in, signed or not.

Edited 2010-06-15 03:08 UTC

Reply Parent Score: 7

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 03:19 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

Distributor don't read the source code every time they package a software. Most of them just update the content of the "src" folder with the new code and and edit the debian/changelog file. It does not prevent infected software from going in, signed or not.


Unless you can provide a real-life instance of something remotely like this ever happening, you are just blowing wind (and seriously insulting distribution maintainers while you are at it, BTW).

Good luck trying to find such an example.

PS: For most changes, only the "diffs" need to be examined, not the entire source code.

Edited 2010-06-15 03:28 UTC

Reply Parent Score: -1

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 03:43 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

Distributor don't read the source code every time they package a software. Most of them just update the content of the "src" folder with the new code and and edit the debian/changelog file. It does not prevent infected software from going in, signed or not.


BTW, GPG signing of the code and requiring it to be installed via a package manager would have prevented this particular incident from happening to the UnrealIRCd application.

Edited 2010-06-15 03:44 UTC

Reply Parent Score: 2

RE[3]: Comment by lemur2 - Gentoo
by jabbotts on Tue 15th Jun 2010 19:41 in reply to "RE[2]: Comment by lemur2"
jabbotts Member since:
2007-09-06

Except in the case of Gentoo. Hopefully a more complete list of affected distributions will turn up in the next few days though. It would be interesting to see how far it managed to get. Ideally, with reports of Windows and other platform's who had the malicious tarball compiled for use.

Reply Parent Score: 2

RE[2]: Comment by lemur2
by libray on Wed 16th Jun 2010 15:19 in reply to "RE: Comment by lemur2"
libray Member since:
2005-08-27

And as we have learned from the past, not only do most distributors not read the source, when they do make changes, its not always going to be a secure edit.

This boils down to the distros were just lazy enough that they didn't get this latest source and compile it. If they had been following this as closely as say Firefox, there surely would have been an updated packed with the source version. But none of us have any evidence that at least one had not done this already.

Reply Parent Score: 2

RE[3]: Comment by lemur2
by lemur2 on Thu 17th Jun 2010 00:29 in reply to "RE[2]: Comment by lemur2"
lemur2 Member since:
2007-02-17

And as we have learned from the past, not only do most distributors not read the source, when they do make changes, its not always going to be a secure edit. This boils down to the distros were just lazy enough that they didn't get this latest source and compile it. If they had been following this as closely as say Firefox, there surely would have been an updated packed with the source version. But none of us have any evidence that at least one had not done this already.


It was getting what they thought was the latest source version, without accompanying signatures to verify its integrity, that caused this problem.

UnRealIRC is not in Debians repositories, for example, and hence not in Ubuntu's as well. Debian considered it too much of a security risk, and too obscure to be worth it.

AFAIK, it is not in Fedora's repositories, nor in SuSe's, nor in Mandriva's, nor in any of the distributions derived from any of these.

That is most distributions.

Edited 2010-06-17 00:30 UTC

Reply Parent Score: 2