Hi,

One of the reproducible builds talk slides, showed a diff of OpenSSH
before and after some off-by-one vulnerability was fixed.

Here's a real-world malicious backdoor in Juniper ScreenOS's sshd:
https://community.rapid7.com/servlet/JiveServlet/showImage/38-7376-36434/ssh.png
The yellow highlighted string allows login as any user.  Full article:
https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor

Whilst this may have been added in source code, it was well-disguised in
the disassembly and just 7 instructions long.  I thought this was a good
example of the current state-of-the-art, and why we'd like our binaries
and eventually, installer and VM images reproducible IMHO.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to