tech-security: Re: Heads up: suspicious source distribution of OpenSSH 3.4p1 found (xs4)

Subject: Re: Heads up: suspicious source distribution of OpenSSH 3.4p1 found (xs4)
To: Rogier Krieger <rogier@virgiel.nl>
From: David Maxwell <david@vex.net>
List: tech-security
Date: 08/01/2002 11:50:26
Thanks for letting us know.

We are aware of the issue, and NetBSD's OpenSSH in basesrc and in pkgsrc
have NOT been affected.

The distribution files on ftp.netbsd.org are clean, and never had the
trojan code. (Mirror sites retrieve from there, and should be unaffected
as well.)

Pkgsrc users would be secured by the SHA1 hash test performed on any
retrieved distfile, in the event that pkgsrc used a non-NetBSD
controlled ftp site to retrieve a distribution file.

We appreciate notification if any user receives a checksum mismatch
warning while installing OpenSSH or any other package.

					David Maxwell
					for security-officer@netbsd.org


> Hello there everyone,
> 
> perhaps this is already known to you (in which case I apologise for
> the double-post; however upon checking the archives, I did not find
> this subject however)
> 
> I just got this in through the Dutch Educational CERT (CERT-NL).
> They have not yet posted on their website (as far as I can tell), but
> presumably they will soon. Their website is: [ http://www.cert-nl.nl/ ].
> 
> I suspect in building the tree sources and pkg sources all MD5
> sums are checked, showing something out of the ordinary. Still,
> sending this notice can't really hurt, given the importance of OpenSSH
> 
> I hope this is of use. You'll find the original message below.
> 
> Sincerely,
> 
> Rogier Krieger
> 
> 
> 
> Date: Thu, 01 Aug 2002 13:25:29 +0200 (MET DST)
> From: CERT-NL Xander <cert-nl@surfnet.nl>
> Subject: Heads up: suspicious source distribution of OpenSSH 3.4p1 found
> Organisation: SURFnet bv
> Address: "Radboudburcht, P.O. Box 19035, 3501 DA Utrecht, NL"
> Phone: +31 302 305 305
> Telefax: +31 302 305 329
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Courtesy of the FIRST community and various other sources CERT-NL received
> information about a most probably trojaned source distribution of OpenSSH
> version 3.4p1. It appears that the file
> 
>   ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
> 
> and possibly other files on mirror sites contain a suspicious extra piece of
> code that connects to an external site when activated.
> 
> The suspicious distribution file has a different MD5 checksum and also the
> GPG/PGP signature doesn't verify with the corresponding signaturefile.
> 
> CERT-NL strongly advises everbody who downloaded and/or installed the
> OpenSSH 3.4p1 package recently to verify the checksum/PGP-signature of the
> downloaded/installed source file.
> 
> This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports
> system:
>   MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
> 
> This is the md5 checksum of the Trojaned openssh-3.4p1.tar.gz:
>   MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.1
> 
> iQA/AwUBPUkZuzboZFam1X7OEQKjOQCeIa2el2IXw6pUme3zoboPGZ1dXgcAoKI5
> vt6pySqt312S375sVsF61wq4
> =K9dX
> -----END PGP SIGNATURE-----
>