Re: Security Breach Alert - CVS Home File Download Area Compromised

[Todd Denniston]

Arno Schuring wrote:
> 
> >
> > When I download a source "*.tar.gz" and corresponding "*.tar.gz.sig", I
> > get
> > file sizes consistent with values on download page and a PGP signature
> > check
> > reports a valid file.
> 
> I haven't been able to download cvs-1.11.18.tar.gz.sig, does not even create
> an empty file. When clicking 'info' on the download page, it says 'file
> size: 0.0'. This is using Firefox 1.0 on Windows XP.
<SNIP>
Another Data point.
Platform: Linux 2.4.26
Browser1:  Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.1) 
Browser2:  Lynx Version 2.8.4rel.1 (17 Jul 2001)

with mozilla, right clicking and selecting "Save link target as" results in 
-rw-r--r--    1    696918 Jan 26 08:57 cvs-1.12.11-Darwin-7.7.0-powerpc.gz
for
https://ccvs.cvshome.org/files/documents/19/681/cvs-1.12.11-Darwin-7.7.0-powerpc.gz

with mozilla, right clicking and selecting "Save link target as" results in
no file downloaded  for the following link.
https://ccvs.cvshome.org/files/documents/19/682/cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig
However I get no errors.

with lynx
`lynx -accept_all_cookies -source \
https://ccvs.cvshome.org/files/documents/19/682/cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig
\ >cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig`
I get a 66 byte file.

I grabbed what could be Conrad's pub key (it verifies a message from the guy
posting to this list as Conrad :) from MIT,
http://pgp.mit.edu:11371/pks/lookup?search=Conrad+T.+Pino&op=index&fingerprint=on
and imported into a key ring.

-rw-r--r--    1      2462 Jan 26 09:20 ConradTPinoKey.html
-rw-r--r--    1      5822 Jan 26 09:30 Conradmsg.txt
-rw-r--r--    1    696918 Jan 26 08:57 cvs-1.12.11-Darwin-7.7.0-powerpc.gz
-rw-r--r--    1        66 Jan 26 09:22
cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig

gpg --verify Conradmsg.txt                           

gpg: Signature made Wed Jan 26 01:45:40 2005 EST using DSA key ID 9BCD3A3D
gpg: Good signature from "Conrad T. Pino <Conrad@Pino.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 3DF1 DE6C 1AFD 8847 08F1  470A B34C DBCB 9BCD 3A3D

gpg --verify cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig 

gpg: Signature made Mon Jan 17 14:55:38 2005 EST using DSA key ID 9BCD3A3D
gpg: Good signature from "Conrad T. Pino <Conrad@Pino.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 3DF1 DE6C 1AFD 8847 08F1  470A B34C DBCB 9BCD 3A3D

So it seems Something is NOT right with the download page, but if the key
from MIT is correct it looks like the above files are ok (from here).

-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane) 
Harnessing the Power of Technology for the Warfighter