hacked package on server

Dave Korn dave.korn@artimi.com
Mon Jul 16 18:11:00 GMT 2007

DANGER:  Extreme sarcasm ahead.  May also be withering.  No warranty, no

On 16 July 2007 16:31, Chicken Licken ^W^W Louis Kruger wrote:

> As the package installed, I saw some strange behavior, I'm worried it
> might have been some kind of trojan.

  Are you able to actually describe "strange behaviour", or did you just get
an eerie spine-tingling feeling with no actual physical symptoms outside your
fevered imagination?

> I saved the hacked package file in case a cygwin developer wants to see
> it.  I was able to get the vim-7.1-1.tar.bz2 from another server with
> the correct MD5.

  Oh, so you know that it's hacked do you?  Having considered every other
possibility, from faulty mirror to transmission error, you can confidently
dismiss them: they could not have happened because they aren't exciting

  Drama queen, much?

> The correct md5:
> df543517110fa14fcc13a207ef721459 *vim-7.1-1.tar.bz2
> The md5 of the hacked package:
> 43f00ebc2964d7c84fde7b7150f1b3a5 *vim-7.1-1.tar.bz2-HACKED

  I downloaded the mirrors.dotsrc version, and I downloaded the
mirrorservice.org version, and verified that as you say, the md5sum is wrong
on the mirrors.dotsrc version.  Rather than jump to unwarranted conclusions, I
decided to investigate, instead of just guessing at the most hysterical option
possible and rushing to spread FUD and loathing.

  They are both the same length, but the corrupted one differs from the
correct one in two sequences: 0x4f5000 - 0x4f8000  and 0x58a000 - 0x58c000.

  Note the nice round offsets and sizes.  I visually examined the incorrect
data in hex: it seemed statistically similar to the correct data, but was not
any simple transposition, shift or reframing of it.

  I also tried one very basic test to see if it could be some kind of
trojanized package: I tried to unpack it.  It failed:

/tmp/cyg-package-hack/unpack $ bunzip2 vim-7.1-1.tar.bz2

bunzip2: Data integrity error when decompressing.
        Input file = vim-7.1-1.tar.bz2, output file = vim-7.1-1.tar

It is possible that the compressed file(s) have become corrupted.
You can use the -tvv option to test integrity of such files.

You can use the `bzip2recover' program to attempt to recover
data from undamaged sections of corrupted files.

bunzip2: Deleting output file vim-7.1-1.tar, if it exists.

  At this point, by the most trivial experiment I have thoroughly debunked the
paranoid interpretation.

  Given that the sizes and offets are nice integer multiples of inode size, I
believe the dotsrc mirror simply has some crosslinked file chains, and we're
seeing a few blocks of some other package file here.  (I'm afraid I didn't
bother to acquire the ultimate proof here, but it would be easy enough to
download an entire mirror and then search the lot to see which file these
chunks came from).

> I also have a complaint:  the dialog that notifies the user of the
> failed MD5 is not well designed.  The dialog asks "Do you want to skip
> the package?" and has a yes and no button.  I read it quickly and
> pressed no before thinking about it, the package went ahead and tried to
> install.  I think there should be a little more effort to restrain the
> user from performing a dangerous action such as installing a package
> with a wrong MD5.

  "I'm an idiot in a hurry.  I didn't bother to read what was right in front
of my face, and it's all your fault for not stopping me!"

  1) Take less stimulants.
  2) Stop watching films like "Sneakers".
  3) Calm down, breath deeply, and try not to be so hysterical.

Can't think of a witty .sigline today....

Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list