Update Manager sudo trojan

**wilee-nilee** · May 18th, 2012

But what about the duplication? Why did I have two sudo with slightly different descriptions?

Not sure you would have to look up packages of that set up and dependencies I suspect.

So what would happen if the Ubuntu repositories were cracked and a trojan added for download?

Nothing I believe gets put in the repos without being approved. This is with being able to look at all the code, since this is open source, hard to say how much is looked at though I would not know really. Actually the user a IT pro, that runs the IRC freenode channel ##windows in a conversation with me said he thought that the ubuntu repos and the gpt key setup with open source were extremely safe, and wished others would follow this lead.

As I understand it, a trojan is malicious code that the user puts on his/her computer knowing that it's software, thinking that it's wanted/needed, but not knowing that it's harmful.

Certainly possible, but to endanger linux it has to be in a code that runs in it and have root access, I suppose this just part of being safe. The definition of a trojan though is sort of broad, none of this though is an area of expertise for me really. A popup like is seen your infected click here, would nut run in linux unless written for it, and none is known to be on the web.

Third party repos are a concern. But I'm hoping Oracle and Scribus are at least the same order of magnitude as safe as Ubuntu...

I suspect they are oracle has a lot of money, and wants to keep its market hold, letting security be a problem would be a bad business move.

**CharlesA** · May 18th, 2012

The only update to sudo I have had was this one:

Code:

charles@Thor:/var/log/unattended-upgrades$ cat unattended-upgrades-dpkg_2012-05-17_06\:39\:41.220505.log
(Reading database ... 98896 files and directories currently installed.)
Preparing to replace sudo 1.8.3p1-1ubuntu3.1 (using .../sudo_1.8.3p1-1ubuntu3.2_amd64.deb) ...
Unpacking replacement sudo ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up sudo (1.8.3p1-1ubuntu3.2) ...

**OpSecShellshock** · May 19th, 2012

For what it's worth, on the system that I use and update every day I had updates to Sudo two days in a row earlier in the week. However, on the system that I use and update less frequently there was only one. It's possible, though I wasn't really keeping track, that the earlier update addressed one thing but caused unforeseen breakages elsewhere, which were then addressed immediately. That happens from time to time with other packages, and is far, far more likely than the introduction of a trojan package to the repositories.

**rookcifer** · May 19th, 2012

Originally Posted by AlanQ

Have I somehow allowed in a trojan? Or in some other way been cracked?

No. It would be nearly impossible for that to happen since Ubuntu packages are digitally signed.

**AlanQ** · May 21st, 2012

Thanks again, wilee-nilee

Originally Posted by OpSecShellshock

For what it's worth, on the system that I use and update every day I had updates to Sudo two days in a row earlier in the week...

That's good to know.

Originally Posted by rookcifer

No. It would be nearly impossible for that to happen since Ubuntu packages are digitally signed.

Ah, yes. I hadn't thought of that. They'd have to crack both the package server and the signature server.

Still nothing relevant when I search on Ubuntu news. So I guess all is well...

Thanks to all who have posted ideas, info, suggestions, answered my questions, etc.

**rookcifer** · May 21st, 2012

Originally Posted by AlanQ

Thanks again, wilee-nilee

That's good to know.

Ah, yes. I hadn't thought of that. They'd have to crack both the package server and the signature server.

No, they'd have to go further than that. They'd have to steal the private key of the Ubuntu maintainers, which would mean hacking their machine and somehow brute-forcing the key's password. That is, if the Ubuntu developers even keep the key on an Internet connected machine in the first place.

There have been instances where Linux distro repositories have been breached and where rogue packages have been uploaded (it happened to Fedora at least once). However, those packages were always caught because they failed signature verification. An attacker would have to actually steal the signing private key to make the attack go unnoticed. While not impossible, it would be very very difficult if the maintainers were careful about protecting the private key.

So, basically, if the suspicious updates you are talkimg about passed signature verification, they are legit updates.

**AlanQ** · May 22nd, 2012

Even better

**bohemian9485** · May 23rd, 2012

Originally Posted by rookcifer

No, they'd have to go further than that. They'd have to steal the private key of the Ubuntu maintainers, which would mean hacking their machine and somehow brute-forcing the key's password. That is, if the Ubuntu developers even keep the key on an Internet connected machine in the first place.

There have been instances where Linux distro repositories have been breached and where rogue packages have been uploaded (it happened to Fedora at least once). However, those packages were always caught because they failed signature verification. An attacker would have to actually steal the signing private key to make the attack go unnoticed. While not impossible, it would be very very difficult if the maintainers were careful about protecting the private key.

So, basically, if the suspicious updates you are talkimg about passed signature verification, they are legit updates.

+1 for Linux