1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
I have thought long and hard how to help the Gentoo project |
5 |
to cease exposing its users' systems to the Internet with a |
6 |
remotely exploitable Portage vulnerability, and I have |
7 |
reached a conclusion. |
8 |
|
9 |
I will publish step-by-step instructions which explain in |
10 |
great detail how to ... |
11 |
|
12 |
(1) set up a fake sync mirror, |
13 |
|
14 |
(2) set up a transparent proxy for rsyncd connections that |
15 |
are routed through your machine, |
16 |
|
17 |
(3) configure your BIND daemon to pretend it had |
18 |
authoritative information for the gentoo.org zone that |
19 |
refers to your mirror rather than the real one, and |
20 |
|
21 |
(4) what to patch in /usr/portage/eclass/eutils.eclass to |
22 |
install appropriate exploit code on the user's machine |
23 |
once emerge is used for the next time. |
24 |
|
25 |
Furthermore, I'll kindly refer to the entries in |
26 |
bugs.gentoo.org that show this vulnerability has been known |
27 |
and ignored for over 15 months. |
28 |
|
29 |
At 2004-11-11 00:00:00 CET this article hits a rather |
30 |
popular public full-disclosure mailing list. |
31 |
|
32 |
Since most of you seem to be believe that the bug is really |
33 |
not that serious, I am certain this will worry you not in |
34 |
the least. |
35 |
|
36 |
Peter |
37 |
|
38 |
-----BEGIN PGP SIGNATURE----- |
39 |
Version: GnuPG v1.2.6 (GNU/Linux) |
40 |
|
41 |
iQEVAwUBQY9yrUG8KP6ZCJ1yAQJZpwgAlBqRU/ooaH61XJ/88qxWqzsdlx8s2zwQ |
42 |
ZRzVDFUuO09zmG7Zz5M5bu6sMd+aU/pBlAVHqP83G+RivD4gFVOKOn2F29RVdEqD |
43 |
p4qbD5D/NbVi0jpGw6RpWU7i90jwmqehlYvKJHVLWiI0A/cGEGkTVjnQ9nrFGqb/ |
44 |
GBgHrkFxDJMINoYKXtm/r7LbJuUaTJRMGhVLlhYw14qjpNMCakAHYidhimdcCvW2 |
45 |
PmHUIyLLRXZiGJCDTp9YSEuVSS/7HjisO/B6OLERgUa9CPyeCgZBhMl/vLHMbR45 |
46 |
hQH5Do1oxEI4o9u3KN1x9+vDJRbaAXwV14kBFAewJTrnp3Es/EtJ5Q== |
47 |
=Vg4Q |
48 |
-----END PGP SIGNATURE----- |
49 |
|
50 |
|
51 |
-- |
52 |
gentoo-security@g.o mailing list |