From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cap@capsi.com>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=DMARC_MISSING,
	MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no
	version=4.0.0
Received: from capsi.com (capsi.xs4all.nl [213.84.61.91])
	by chiba.3jane.net (Postfix) with SMTP id 0A13AABDB5
	for <gentoo-dev@lists.gentoo.org>; Thu,  1 Aug 2002 03:37:16 -0500 (CDT)
Received: (qmail 27215 invoked by uid 1007); 1 Aug 2002 08:37:14 -0000
Date: Thu, 1 Aug 2002 10:37:14 +0200
From: Rob Kaper <cap@capsi.com>
To: pvolkerdi@slackware.com
Cc: neil@qualityassistant.com, gentoo-dev@lists.gentoo.org,
	kde-cafe@mail.kde.org
Message-ID: <20020801103714.A26100@capsi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
Subject: [gentoo-dev] possible trojan in openssh-3.4p1
Sender: gentoo-dev-admin@gentoo.org
Errors-To: gentoo-dev-admin@gentoo.org
X-BeenThere: gentoo-dev@gentoo.org
X-Mailman-Version: 2.0.6
Precedence: bulk
List-Help: <mailto:gentoo-dev-request@gentoo.org?subject=help>
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Subscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=subscribe>
List-Id: Gentoo Linux developer list <gentoo-dev.gentoo.org>
List-Unsubscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=unsubscribe>
List-Archive: <http://lists.gentoo.org/pipermail/gentoo-dev/>
X-Archives-Salt: e6522784-2588-44ed-a3bb-7e11083342d1
X-Archives-Hash: 8f48822bce9ed469f114672a896a9d45

Pat, Neil, Gentoo devs, KDE friends:

>>From #kde-freebsd:

<knu> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is trojaned
<tap> nothing on google either
<knu> steals /etc/passwd to send to a certain IRC network and removes itself
<Capzilla> knu : says who
<knu> see the code, but never run make
<knu> openbsd-compat/{Makefile.in,bf-test.c}

Looks like some weird stuff is in there indeed.

md5sum of the binary that appears to be trojaned:

3ac9bc346d736b4a51d676faa2a08a57  openssh-3.4p1.tar.gz

As far as I can see, compiled binaries are *not* affected, but you might
want to carefully examin this more closely (I'm waiting with upgradepkg en
emerge on my systems until there's some more info). We've had a few hoaxes
recently, but this looks suspicious.

My apologies if this is just a storm in a glass of water.

Rob
-- 
Rob Kaper     | Gimme some love, gimme some skin,
cap@capsi.com | if we ain't got that then we ain't got much
www.capsi.com | and we ain't got nothing, nothing! -- "Nothing" by A