l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Oct 07 22:14

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] possible rooted system / checking md5sum on debian
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] possible rooted system / checking md5sum on debian

> Message: 6
> Date: Sun, 6 Oct 2002 11:40:13 -0700
> To: vox-tech@lists.lugod.org
> Subject: Re: [vox-tech] possible rooted system / checking md5sum on debian
> From: Rick Moen <rick@linuxmafia.com>
> Reply-To: vox-tech@lists.lugod.org
> Quoting dugan@passwall.com (dugan@passwall.com):
> > I don't know of a system to check for MD5 sums of all Debian packages and
> > verify. There have been discussions about how to have cert signing of
> > packages, but who would be a central authority to sign packages?
> I do my best to cover this (complex) matter here:
> http://linuxmafia.com/~rick/linux-info/debian-package-signing
> But the people who know all the details are on the debian-security 
> mailing list (where I mostly just lurk).

What I got out of this document applies especially when a package mirror
has been rooted. If the person who rooted chose to put trojaned binaries
in the mirror itself (for unsuspecting debian users to download) then
the only real way to ensure that your system is still safe is not to
`apt-get dist-upgrade` from that mirror. 

Now supposing you already did do an apt-get dist-upgrade that may get
you in trouble. Here's how to check whether you're OK. Recall the
packages that were updated in your last few dist-upgrades. (For me this
included coreutils, shellutils, textutils, and fileutils last night,
which seem like particularly important packages on a system.) Remember
that debian only upgrades packages if the ones on the mirror have a
higher version number. So run dpkg -l on any packages you're suspicious

[bloom@cat-in-the-hat ~]% dpkg -l coreutils textutils shellutils fileutils
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
||/ Name           Version        Description
ii  coreutils      4.5.1-2        The GNU core utilities
ii  textutils      4.5.1-2        The GNU text file processing utilities
ii  shellutils     4.5.1-2        The GNU shell programming utilities.
ii  fileutils      4.5.1-2        GNU file management utilities

Now, go and compare version numbers with packages.debian.org
If version numbers match, chances are you're fine and didn't get any
trojaned packages. (Mine version numbers match do)
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.