1 |
On Thu, Jun 28, 2018 at 8:55 PM, Duane Robertson |
2 |
<duane@××××××××××××××.com> wrote: |
3 |
> On Thu, 28 Jun 2018 23:15:36 +0200 |
4 |
> "Francisco Blas Izquierdo Riera (klondike)" <klondike@g.o> wrote: |
5 |
> |
6 |
>> Hi! |
7 |
>> |
8 |
>> I just want to notify that an attacker has taken control of the Gentoo |
9 |
>> organization in Github and has among other things replaced the portage |
10 |
>> and musl-dev trees with malicious versions of the ebuilds intended to |
11 |
>> try removing all of your files. |
12 |
>> |
13 |
>> Whilst the malicious code shouldn't work as is and GitHub has now |
14 |
>> removed the organization, please don't use any ebuild from the GitHub |
15 |
>> mirror ontained before 28/06/2018, 18:00 GMT until new warning. |
16 |
>> |
17 |
>> Sincerely, |
18 |
>> Francisco Blas Izquierdo Riera (klondike) |
19 |
>> Gentoo developer. |
20 |
>> |
21 |
>> |
22 |
> |
23 |
> Is it at all likely that any signing keys have been compromised? I |
24 |
> can't think of how that would happen, but I don't know much about the |
25 |
> situation. |
26 |
> |
27 |
|
28 |
It is my understanding release engineering maintains separate keys |
29 |
explicitly to prevent situations like this from getting worse. |
30 |
|
31 |
But, the same machine which was compromised (if a machine was |
32 |
compromised) likely had commit signing keys. Considering the size of |
33 |
Gentoo I think GitHub would respond to a request for information on |
34 |
who added the malicious account to the project if that information is |
35 |
not already available. |
36 |
|
37 |
|
38 |
Considering what was done it could be assumed that no access to the |
39 |
master repository was available. If so, any change pushed to the |
40 |
mirror might have been far easier to notice and the attacker could |
41 |
have considered their GitHub access worthless. |
42 |
|
43 |
I'm not sure the above is a reasonable assessment; someone likely just |
44 |
burned access easily worth multiple millions of dollars in CPU time. |
45 |
Other infrastructure should be under scrutiny for past exploitation. |
46 |
|
47 |
Cheers, |
48 |
R0b0t1 |