Respository vandalism by root at ...fd.o

Luc Verhaegen libv at skynet.be
Tue Nov 23 04:47:19 PST 2010


On Tue, Nov 23, 2010 at 01:32:30PM +0100, Luc Verhaegen wrote:
> Radeonhd repo:
> http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot
> 
> author	SPIGOT <root at jerkcity.com>	2010-11-02 04:21:14 (GMT)
> committer	SPIGOT <root at jerkcity.com>	2010-11-02 04:21:14 (GMT)
> commit	231683e2f111bb064125f64f2da797d744cde7fa (patch)
> ...
> PERHAPS BONGHITS WILL FIX MY MAKEFILE
> Signed-off-by: SPIGOT <root at jerkcity.com> 
> 
> Very funny, but the person responsible forgot that maybe, this puts the 
> whole trust in anything on fd.o at risk.
> 
> A look at the repo itself shows:
> 
> ...xf86-video-radeonhd/objects$ ls -al 23/1683e2f111bb064125f64f2da797d744cde7fa
> -r--r--r-- 1 root xorg 205 2010-11-01 21:22  23/1683e2f111bb064125f64f2da797d744cde7fa
> 
> This while others clearly show:
> 
> ...xf86-video-radeonhd/objects$ ls -al 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6
> -r--r--r-- 1 mhopf xorg 596 2010-05-12 07:34 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6
> 
> So, who has root access to annarchy or any other of the servers, and who 
> thought this would be funny, and who deserves to lose his access right 
> here, right now?
> 
> Luc Verhaegen.

It is clear that this is not a normal security breach, as this commit is 
fully in line with the naming scheme used by fd.o. Plus, given the 
history of radeonhd, combined with who i think have root access, makes 
it seem quite likely that this was simply one of the people with regular 
root access.

Luc Verhaegen.



More information about the xorg mailing list