Re: vsftpd download backdoored

[Solar Designer <solar () openwall com>]

On Mon, Jul 04, 2011 at 10:31:07PM -0500, HD Moore wrote:
> Thanks for the CC -- as a guess as to what happened; was this particular
> mirror compromised

What mirror?  As far as I'm aware, from the announcement by Chris, only
the official distribution site for vsftpd was compromised.

> and the original tarball modified (along with its
> mtime) to match the original Feb 15th date?

Maybe.  Do you have a copy of the backdoored tarball?  I don't, and no
one on forums where I saw this discussed appears to have it (which
confirms that it existed for a very short period of time only).

> Does anyone have a "we noticed it first" flag that is before July 3rd?

Not that I know of.

> Debian (and most other repos) are storing the SHA-256/SHA1/MD5 of each
> source package, so a Feb 15 date does seem incredible, but so does the
> complete pwnage of a non-official mirror with the original mtime, at the
> same moment as an official dist server compromise. A nightly rsync would
> account for this, but we would need to know more about the mirror
> structure from Chris.

Are you trying to say that Debian got the backdoored copy?  This is news
to me.

Thanks,

Alexander