"SquirrelMail Repository Poisoned" (slashdot)

Dan Mahoney, System Admin danm at prime.gushi.org
Wed Dec 19 19:46:35 UTC 2007 

On Wed, 19 Dec 2007, Paul Vixie wrote:

Warning: my reply may be long but I might just have had too much coffee.

On the squirrelmail bit:

The squirrelmail bug would be noticed by anyone who had verified the 
checksum.

For myself, I admittedly did *not* verify the SquirrelMail checksum (bad 
me), but always deploy my webmail apps on a "beta" site for at least a 
month before using.

I also do an insane amount of privilege separation with regard to PHP 
scripts, such that a compromised webmail install would most likely only 
lead to file corruption, users reading each others' address books, etc. 
This is not the goal of the average script kiddie who will want to 
download files, launch a shell, and run bots.

The bigger problem, I would assert, is that if your CVS/SVN/Perforce 
repository is poisoned at some point, you could still be GPG-signing, 
md5-summing your distfiles, without an awareness that there's something 
wrong.

I.e. if the attackers could poison the .tar.gz that's on the same webspace 
as the posted download, why wouldn't they just change *that* too.  IMHO 
they got stupid there, and that's what saved us.

On the BIND bit:

For me, I now build BIND from FreeBSD's ports, almost exclusively.

The ports system checks signatures against *INTERNAL* checksums (known to 
the ports system, not posted elsewhere on the ISC site (thus bypassing 
the if-you-can-upload-a-bogus-tarfile you-can-upload-a-matching-sum issue) 
that are independently verified in the "proper" ways.

In general:

Oh writer-of-respected-drafts, perhaps the time has come for a defined 
specification to be written for a standard distribution files and the 
checksums 
thereof.

For example, for any given tar.gz ($filename) being downloaded:

1) Check the same directory for $filename.md5, $filename.sha1, 
$filename.gpg (and a possible extension -- allowing the specification of 
an alternate url where the sign is maintained, either in the same 
directory, or another site entirely.

2) If found, verify.  If !verify, scream bloody murder.

Work could then be done with the builders of tools such as FreeBSD's 
"fetch" (I'm on freebsd-questions and frequently submit PR's), Gnu WGET 
(I'm on that list), curl, or even lynx and the like (which are, chances 
are, the de-facto means of getting binaries to a system)

I'd love to draft such a draft myself, although I'm at present just a bit 
busy (such is life?).  But I'd love to hear comments otherwise.  Yes, I'm 
requesting them :)

-Dan

--

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

More information about the bind-workers mailing list