[vox-tech] possible rooted system / checking md5sum on debian

Ken Bloom vox-tech@lists.lugod.org
Sun, 6 Oct 2002 14:05:22 -0700 

> Message: 6
> Date: Sun, 6 Oct 2002 11:40:13 -0700
> To: vox-tech@lists.lugod.org
> Subject: Re: [vox-tech] possible rooted system / checking md5sum on debian
> From: Rick Moen <rick@linuxmafia.com>
> Reply-To: vox-tech@lists.lugod.org
> 
> Quoting dugan@passwall.com (dugan@passwall.com):
> 
> > I don't know of a system to check for MD5 sums of all Debian packages and
> > verify. There have been discussions about how to have cert signing of
> > packages, but who would be a central authority to sign packages?
> 
> I do my best to cover this (complex) matter here:
> http://linuxmafia.com/~rick/linux-info/debian-package-signing
> 
> But the people who know all the details are on the debian-security 
> mailing list (where I mostly just lurk).
> 

What I got out of this document applies especially when a package mirror
has been rooted. If the person who rooted chose to put trojaned binaries
in the mirror itself (for unsuspecting debian users to download) then
the only real way to ensure that your system is still safe is not to
`apt-get dist-upgrade` from that mirror. 

Now supposing you already did do an apt-get dist-upgrade that may get
you in trouble. Here's how to check whether you're OK. Recall the
packages that were updated in your last few dist-upgrades. (For me this
included coreutils, shellutils, textutils, and fileutils last night,
which seem like particularly important packages on a system.) Remember
that debian only upgrades packages if the ones on the mirror have a
higher version number. So run dpkg -l on any packages you're suspicious
about.

[bloom@cat-in-the-hat ~]% dpkg -l coreutils textutils shellutils fileutils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  coreutils      4.5.1-2        The GNU core utilities
ii  textutils      4.5.1-2        The GNU text file processing utilities
ii  shellutils     4.5.1-2        The GNU shell programming utilities.
ii  fileutils      4.5.1-2        GNU file management utilities

Now, go and compare version numbers with packages.debian.org
If version numbers match, chances are you're fine and didn't get any
trojaned packages. (Mine version numbers match do)