> Message: 6 > Date: Sun, 6 Oct 2002 11:40:13 -0700 > To: [EMAIL PROTECTED] > Subject: Re: [vox-tech] possible rooted system / checking md5sum on debian > From: Rick Moen <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > > Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > > > I don't know of a system to check for MD5 sums of all Debian packages and > > verify. There have been discussions about how to have cert signing of > > packages, but who would be a central authority to sign packages? > > I do my best to cover this (complex) matter here: > http://linuxmafia.com/~rick/linux-info/debian-package-signing > > But the people who know all the details are on the debian-security > mailing list (where I mostly just lurk). >
What I got out of this document applies especially when a package mirror has been rooted. If the person who rooted chose to put trojaned binaries in the mirror itself (for unsuspecting debian users to download) then the only real way to ensure that your system is still safe is not to `apt-get dist-upgrade` from that mirror. Now supposing you already did do an apt-get dist-upgrade that may get you in trouble. Here's how to check whether you're OK. Recall the packages that were updated in your last few dist-upgrades. (For me this included coreutils, shellutils, textutils, and fileutils last night, which seem like particularly important packages on a system.) Remember that debian only upgrades packages if the ones on the mirror have a higher version number. So run dpkg -l on any packages you're suspicious about. [bloom@cat-in-the-hat ~]% dpkg -l coreutils textutils shellutils fileutils Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii coreutils 4.5.1-2 The GNU core utilities ii textutils 4.5.1-2 The GNU text file processing utilities ii shellutils 4.5.1-2 The GNU shell programming utilities. ii fileutils 4.5.1-2 GNU file management utilities Now, go and compare version numbers with packages.debian.org If version numbers match, chances are you're fine and didn't get any trojaned packages. (Mine version numbers match do) _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
