Respository vandalism by root at ...fd.o
Luc Verhaegen
libv at skynet.be
Tue Nov 23 04:47:19 PST 2010
On Tue, Nov 23, 2010 at 01:32:30PM +0100, Luc Verhaegen wrote:
> Radeonhd repo:
> http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot
>
> author SPIGOT <root at jerkcity.com> 2010-11-02 04:21:14 (GMT)
> committer SPIGOT <root at jerkcity.com> 2010-11-02 04:21:14 (GMT)
> commit 231683e2f111bb064125f64f2da797d744cde7fa (patch)
> ...
> PERHAPS BONGHITS WILL FIX MY MAKEFILE
> Signed-off-by: SPIGOT <root at jerkcity.com>
>
> Very funny, but the person responsible forgot that maybe, this puts the
> whole trust in anything on fd.o at risk.
>
> A look at the repo itself shows:
>
> ...xf86-video-radeonhd/objects$ ls -al 23/1683e2f111bb064125f64f2da797d744cde7fa
> -r--r--r-- 1 root xorg 205 2010-11-01 21:22 23/1683e2f111bb064125f64f2da797d744cde7fa
>
> This while others clearly show:
>
> ...xf86-video-radeonhd/objects$ ls -al 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6
> -r--r--r-- 1 mhopf xorg 596 2010-05-12 07:34 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6
>
> So, who has root access to annarchy or any other of the servers, and who
> thought this would be funny, and who deserves to lose his access right
> here, right now?
>
> Luc Verhaegen.
It is clear that this is not a normal security breach, as this commit is
fully in line with the naming scheme used by fd.o. Plus, given the
history of radeonhd, combined with who i think have root access, makes
it seem quite likely that this was simply one of the people with regular
root access.
Luc Verhaegen.
More information about the xorg
mailing list