Gentoo Archives: gentoo-user

From: "Francisco Blas Izquierdo Riera (klondike)" <klondike@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!
Date: Fri, 29 Jun 2018 12:17:19
Message-Id: 588f7618-3bf8-0a96-0338-6f55216904bb@gentoo.org
In Reply to: Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning! by "Ivan J."
1 El 29/06/18 a las 09:47, Ivan J. escribió:
2 > On Fri, Jun 29, 2018 at 03:12:15AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote:
3 >> El 29/06/18 a las 00:27, Mick escribió:
4 >>> On Thursday, 28 June 2018 22:54:45 BST Francisco Blas Izquierdo Riera
5 >>> (klondike) wrote:
6 >>>> El 28/06/18 a las 23:15, Francisco Blas Izquierdo Riera (klondike) escribió:
7 >>>>> Hi!
8 >>>>>
9 >>>>> I just want to notify that an attacker has taken control of the Gentoo
10 >>>>> organization in Github and has among other things replaced the portage
11 >>>>> and musl-dev trees with malicious versions of the ebuilds intended to
12 >>>>> try removing all of your files.
13 >>>>>
14 >>>>> Whilst the malicious code shouldn't work as is and GitHub has now
15 >>>>> removed the organization, please don't use any ebuild from the GitHub
16 >>>>> mirror ontained before 28/06/2018, 18:00 GMT until new warning.
17 >>>>>
18 >>>>> Sincerely,
19 >>>>> Francisco Blas Izquierdo Riera (klondike)
20 >>>>> Gentoo developer.
21 >>>> Just to keep up with it. There is a more complete article published at
22 >>>> https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html
23 >>> Thanks for letting us know, but how did this happen?
24 >> I don't think there is an official timeline yet. We suspect the github
25 >> account of an administrator was compromissed.
26 >>
27 >> I just brought up the heads up when I noticed that the protage tree had
28 >> been modified to contain harmful code.
29 > Do you have this code somewhere now? Any chance of seeing what happened?
30 >
31 Sadly no, I tried to obtain it from my browser cache with no luck. I
32 have two of the malicious commit ids though:
33 49464b7316dbd7bbfe878cb3da4817c39a6cf11c and
34 e6db0eb4f76cb920e49a6afc3af067c3d5e4b82b
35
36
37 What I noticed was a clear rm -rf /* as the first line on all ebuilds
38 but there may have been a more subtle attack too.

Attachments

File name MIME type
signature.asc application/pgp-signature