X-Spam-Check-By:	sourceware.org
Message-ID:	<469B8F2C.8020600@cs.wisc.edu>
Date:	Mon, 16 Jul 2007 10:30:52 -0500
From:	Louis Kruger <lpkruger AT cs DOT wisc DOT edu>
User-Agent:	Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	hacked package on server
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

I performed a cygwin update today, and was confronted with an MD5 
failure on one of the packages.

The package was vim-7.1-1.tar.bz2 downloaded from mirrors.dotsrc.org

As the package installed, I saw some strange behavior, I'm worried it 
might have been some kind of trojan.

I saved the hacked package file in case a cygwin developer wants to see 
it.  I was able to get the vim-7.1-1.tar.bz2 from another server with 
the correct MD5.

The correct md5:
df543517110fa14fcc13a207ef721459 *vim-7.1-1.tar.bz2

The md5 of the hacked package:
43f00ebc2964d7c84fde7b7150f1b3a5 *vim-7.1-1.tar.bz2-HACKED


I also have a complaint:  the dialog that notifies the user of the 
failed MD5 is not well designed.  The dialog asks "Do you want to skip 
the package?" and has a yes and no button.  I read it quickly and 
pressed no before thinking about it, the package went ahead and tried to 
install.  I think there should be a little more effort to restrain the 
user from performing a dangerous action such as installing a package 
with a wrong MD5.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -