Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Update Manager sudo trojan

  1. #11
    Join Date
    Sep 2009
    Beans
    8,874
    Distro
    Ubuntu Development Release

    Re: Update Manager sudo trojan

    But what about the duplication? Why did I have two sudo with slightly different descriptions?
    Not sure you would have to look up packages of that set up and dependencies I suspect.


    So what would happen if the Ubuntu repositories were cracked and a trojan added for download?
    Nothing I believe gets put in the repos without being approved. This is with being able to look at all the code, since this is open source, hard to say how much is looked at though I would not know really. Actually the user a IT pro, that runs the IRC freenode channel ##windows in a conversation with me said he thought that the ubuntu repos and the gpt key setup with open source were extremely safe, and wished others would follow this lead.

    As I understand it, a trojan is malicious code that the user puts on his/her computer knowing that it's software, thinking that it's wanted/needed, but not knowing that it's harmful.
    Certainly possible, but to endanger linux it has to be in a code that runs in it and have root access, I suppose this just part of being safe. The definition of a trojan though is sort of broad, none of this though is an area of expertise for me really. A popup like is seen your infected click here, would nut run in linux unless written for it, and none is known to be on the web.

    Third party repos are a concern. But I'm hoping Oracle and Scribus are at least the same order of magnitude as safe as Ubuntu...
    I suspect they are oracle has a lot of money, and wants to keep its market hold, letting security be a problem would be a bad business move.

  2. #12
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Update Manager sudo trojan

    The only update to sudo I have had was this one:

    Code:
    charles@Thor:/var/log/unattended-upgrades$ cat unattended-upgrades-dpkg_2012-05-17_06\:39\:41.220505.log
    (Reading database ... 98896 files and directories currently installed.)
    Preparing to replace sudo 1.8.3p1-1ubuntu3.1 (using .../sudo_1.8.3p1-1ubuntu3.2_amd64.deb) ...
    Unpacking replacement sudo ...
    Processing triggers for ureadahead ...
    Processing triggers for man-db ...
    Setting up sudo (1.8.3p1-1ubuntu3.2) ...
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #13
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Update Manager sudo trojan

    For what it's worth, on the system that I use and update every day I had updates to Sudo two days in a row earlier in the week. However, on the system that I use and update less frequently there was only one. It's possible, though I wasn't really keeping track, that the earlier update addressed one thing but caused unforeseen breakages elsewhere, which were then addressed immediately. That happens from time to time with other packages, and is far, far more likely than the introduction of a trojan package to the repositories.

  4. #14
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Update Manager sudo trojan

    Quote Originally Posted by AlanQ View Post
    Have I somehow allowed in a trojan? Or in some other way been cracked?
    No. It would be nearly impossible for that to happen since Ubuntu packages are digitally signed.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  5. #15
    Join Date
    Mar 2005
    Beans
    70

    Re: Update Manager sudo trojan

    Thanks again, wilee-nilee

    Quote Originally Posted by OpSecShellshock View Post
    For what it's worth, on the system that I use and update every day I had updates to Sudo two days in a row earlier in the week...
    That's good to know.

    Quote Originally Posted by rookcifer View Post
    No. It would be nearly impossible for that to happen since Ubuntu packages are digitally signed.
    Ah, yes. I hadn't thought of that. They'd have to crack both the package server and the signature server.

    Still nothing relevant when I search on Ubuntu news. So I guess all is well...

    Thanks to all who have posted ideas, info, suggestions, answered my questions, etc.

  6. #16
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Update Manager sudo trojan

    Quote Originally Posted by AlanQ View Post
    Thanks again, wilee-nilee



    That's good to know.



    Ah, yes. I hadn't thought of that. They'd have to crack both the package server and the signature server.
    No, they'd have to go further than that. They'd have to steal the private key of the Ubuntu maintainers, which would mean hacking their machine and somehow brute-forcing the key's password. That is, if the Ubuntu developers even keep the key on an Internet connected machine in the first place.

    There have been instances where Linux distro repositories have been breached and where rogue packages have been uploaded (it happened to Fedora at least once). However, those packages were always caught because they failed signature verification. An attacker would have to actually steal the signing private key to make the attack go unnoticed. While not impossible, it would be very very difficult if the maintainers were careful about protecting the private key.

    So, basically, if the suspicious updates you are talkimg about passed signature verification, they are legit updates.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  7. #17
    Join Date
    Mar 2005
    Beans
    70

    Re: Update Manager sudo trojan

    Even better

  8. #18
    Join Date
    Sep 2011
    Beans
    38

    Re: Update Manager sudo trojan

    Quote Originally Posted by rookcifer View Post
    No, they'd have to go further than that. They'd have to steal the private key of the Ubuntu maintainers, which would mean hacking their machine and somehow brute-forcing the key's password. That is, if the Ubuntu developers even keep the key on an Internet connected machine in the first place.

    There have been instances where Linux distro repositories have been breached and where rogue packages have been uploaded (it happened to Fedora at least once). However, those packages were always caught because they failed signature verification. An attacker would have to actually steal the signing private key to make the attack go unnoticed. While not impossible, it would be very very difficult if the maintainers were careful about protecting the private key.

    So, basically, if the suspicious updates you are talkimg about passed signature verification, they are legit updates.
    +1 for Linux

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •