Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 374091 - net-ftp/vsftpd: backdoor discovered in source code
Summary: net-ftp/vsftpd: backdoor discovered in source code
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-05 01:06 UTC by Mike Pagano
Modified: 2011-07-05 06:01 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Pagano gentoo-dev 2011-07-05 01:06:53 UTC 
Version 2.3.4 of vsftpd's downloadable source code was compromised and a backdoor added to the code. 

Upstream has now moved the source code and site to https://security.appspot.com/vsftpd.html.
Comment 1 Anthony Basile gentoo-dev 2011-07-05 01:16:00 UTC 
It looks like we may be okay.  Using the information from

http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

I did the following:

   wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz
   wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc
   gpg --verify vsftpd-2.3.4.tar.gz.asc 

and got "Good signature from "Chris Evans <chris@scary.beasts.org>".  Then

   sha256sum vsftpd-2.3.4.tar.gz

gave

    b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a

which matches the Manifest which has not changed in the last 6 weeks.

FYI the compromised tarball has sha256

   2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-07-05 06:01:53 UTC 
Craig and I have checked our tarball yesterday as well and got to the same result, so Gentoo is not affected.