Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 374091

Summary: net-ftp/vsftpd: backdoor discovered in source code
Product: Gentoo Security Reporter: Mike Pagano <mpagano>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: blueness, bugs, c1pher, hwoarang, wired
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Mike Pagano gentoo-dev 2011-07-05 01:06:53 UTC 
Version 2.3.4 of vsftpd's downloadable source code was compromised and a backdoor added to the code. 

Upstream has now moved the source code and site to https://security.appspot.com/vsftpd.html.
Comment 1 Anthony Basile gentoo-dev 2011-07-05 01:16:00 UTC 
It looks like we may be okay.  Using the information from

http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

I did the following:

   wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz
   wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc
   gpg --verify vsftpd-2.3.4.tar.gz.asc 

and got "Good signature from "Chris Evans <chris@scary.beasts.org>".  Then

   sha256sum vsftpd-2.3.4.tar.gz

gave

    b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a

which matches the Manifest which has not changed in the last 6 weeks.

FYI the compromised tarball has sha256

   2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-07-05 06:01:53 UTC 
Craig and I have checked our tarball yesterday as well and got to the same result, so Gentoo is not affected.