Respository vandalism by root at ...fd.o

Luc Verhaegen libv at skynet.be
Tue Nov 23 04:57:25 PST 2010 

On Tue, Nov 23, 2010 at 01:47:19PM +0100, Luc Verhaegen wrote:
> On Tue, Nov 23, 2010 at 01:32:30PM +0100, Luc Verhaegen wrote:
> > Radeonhd repo:
> > http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot
> > 
> > author	SPIGOT <root at jerkcity.com>	2010-11-02 04:21:14 (GMT)
> > committer	SPIGOT <root at jerkcity.com>	2010-11-02 04:21:14 (GMT)
> > commit	231683e2f111bb064125f64f2da797d744cde7fa (patch)
> > ...
> > PERHAPS BONGHITS WILL FIX MY MAKEFILE
> > Signed-off-by: SPIGOT <root at jerkcity.com> 
> > 
> > Very funny, but the person responsible forgot that maybe, this puts the 
> > whole trust in anything on fd.o at risk.
> > 
> > A look at the repo itself shows:
> > 
> > ...xf86-video-radeonhd/objects$ ls -al 23/1683e2f111bb064125f64f2da797d744cde7fa
> > -r--r--r-- 1 root xorg 205 2010-11-01 21:22  23/1683e2f111bb064125f64f2da797d744cde7fa
> > 
> > This while others clearly show:
> > 
> > ...xf86-video-radeonhd/objects$ ls -al 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6
> > -r--r--r-- 1 mhopf xorg 596 2010-05-12 07:34 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6
> > 
> > So, who has root access to annarchy or any other of the servers, and who 
> > thought this would be funny, and who deserves to lose his access right 
> > here, right now?
> > 
> > Luc Verhaegen.
> 
> It is clear that this is not a normal security breach, as this commit is 
> fully in line with the naming scheme used by fd.o. Plus, given the 
> history of radeonhd, combined with who i think have root access, makes 
> it seem quite likely that this was simply one of the people with regular 
> root access.
> 
> Luc Verhaegen.

Also, the hooks/update script was not run, as that would've sent an 
email to the radeonhd mailing list, the update hook was restored 
afterwards it seems:

...xf86-video-radeonhd/hooks$ ls -al
total 36
drwxrwsr-x 2 keithp xorg 4096 2010-11-04 15:01 .
drwxrwsr-x 8 eich   xorg 4096 2009-12-09 06:09 ..
-rw-rw-r-- 1 keithp xorg  426 2007-09-17 11:09 applypatch-msg
-rw-rw-r-- 1 keithp xorg  528 2007-09-17 11:09 commit-msg
-rw-rw-r-- 1 keithp xorg  152 2007-09-17 11:09 post-commit
-rwxrwxr-x 1 keithp xorg  207 2007-09-17 11:09 post-update
-rw-rw-r-- 1 keithp xorg  373 2007-09-17 11:09 pre-applypatch
-rw-rw-r-- 1 keithp xorg 1616 2007-09-17 11:09 pre-commit
-rwxrwxr-x 1 keithp xorg 3755 2010-11-01 21:26 update

This is not random at all.

Luc Verhaegen.

More information about the xorg mailing list