FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[Thorsten Leemhuis]

Am Donnerstag, den 01.06.2006, 08:13 +0200 schrieb Thorsten Leemhuis:
> Am Mittwoch, den 31.05.2006, 22:38 +0200 schrieb Michael Schwendt:

> But to be fair: Yes, I think it is a problem. IMHO it's currently way to
> easy to bring in something nasty to Fedora Extras.

Just a quick howto in case if people don't know how easy it is:

1. create a package, prepare it for review
2. get it reviewed and yourself sponsored 
3. import it and build
4. checkout some popular packages, upload new tarballs with a slightly
different names and a root-kit in it. Modify the "Source0" accordingly  
5. commit the changes, hit "CTRL-C" at the right point of time so the
commit-message is not send to commits-list
6. wait until the maintainer fixes something else in the package an
rebuilds it without noticing the changes done to CVS in between

There are slightly variants that even might work better. E.g.

- have a popular package in Extras and do it with that directly (that
the easiest solution)
- instead of "6.": build the modified packages yourself -- chances are
quite low that somebody will notice it
- instead of "6.": file a bug against the package you modified with a
spec-file patch that fixes something in the package without requiring a
new version -- the maintainer might apply it and request a rebuild (that
is done with the modified tarball you imported to cvs earlier)

CU
thl