l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social Gathering 		Next Installfest:
TBA 		Latest News:
Nov. 18: Officers elected 		Page last updated:
2002 Oct 07 22:14
Events
 Meetings
 Installfests
 Demos
 Photos
Services
 Library
 LERT
 Jobs
 Documents
Interact
 Mailing Lists
 - Search
 - Archives
 Chat (IRC)
 Social Networks
About Us
 Members
 Projects
 Testimonials
 Call for Speakers
 Why Not MS?
 Finances
 Sponsors

^Home
?Search
?News & RSS
?Calendar
@Contact Us
$Buy Stuff
=Printable


The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox-tech] possible rooted system / checking md5sum on debian
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] possible rooted system / checking md5sum on debian

> Message: 6
> Date: Sun, 6 Oct 2002 11:40:13 -0700
> To: vox-tech@lists.lugod.org
> Subject: Re: [vox-tech] possible rooted system / checking md5sum on debian
> From: Rick Moen <rick@linuxmafia.com>
> Reply-To: vox-tech@lists.lugod.org
> 
> Quoting dugan@passwall.com (dugan@passwall.com):
> 
> > I don't know of a system to check for MD5 sums of all Debian packages and
> > verify. There have been discussions about how to have cert signing of
> > packages, but who would be a central authority to sign packages?
> 
> I do my best to cover this (complex) matter here:
> http://linuxmafia.com/~rick/linux-info/debian-package-signing
> 
> But the people who know all the details are on the debian-security 
> mailing list (where I mostly just lurk).
> 

What I got out of this document applies especially when a package mirror
has been rooted. If the person who rooted chose to put trojaned binaries
in the mirror itself (for unsuspecting debian users to download) then
the only real way to ensure that your system is still safe is not to
`apt-get dist-upgrade` from that mirror. 

Now supposing you already did do an apt-get dist-upgrade that may get
you in trouble. Here's how to check whether you're OK. Recall the
packages that were updated in your last few dist-upgrades. (For me this
included coreutils, shellutils, textutils, and fileutils last night,
which seem like particularly important packages on a system.) Remember
that debian only upgrades packages if the ones on the mirror have a
higher version number. So run dpkg -l on any packages you're suspicious
about.

[bloom@cat-in-the-hat ~]% dpkg -l coreutils textutils shellutils fileutils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  coreutils      4.5.1-2        The GNU core utilities
ii  textutils      4.5.1-2        The GNU text file processing utilities
ii  shellutils     4.5.1-2        The GNU shell programming utilities.
ii  fileutils      4.5.1-2        GNU file management utilities

Now, go and compare version numbers with packages.debian.org
If version numbers match, chances are you're fine and didn't get any
trojaned packages. (Mine version numbers match do)
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
LinkedIn
LUGOD Group on LinkedIn 		facebook
LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
1105 Kennedy Place, Suite 1, Davis, CA 95616
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
Marc Hall
For a generous donation to allow us to continue meeting at the Davis Library.