Re: OpenSSH Security Advisory: Trojaned Distribution Files

[Mike Johnson <mike@enoch.org>]

Nick Holland [nick@holland-consulting.net] wrote:
 
> If you want to help, look at the source on the CD.  Look at the source
> on the current CVS repositories.  Look for anything that changed in a
> bad way.  Yes, that's a biiiig task.

First sweep and all looks well.  My method:
unpack the source from cd
set CVSROOT to anoncvs@anoncvs.ca.openbsd.org:/cvs
cd into source directory
cvs -q up -rOPENBSD_3_1_BASE -Pd | tee /tmp/cvs-up.log

Nothing.  This leads me to believe that, at least, that branch is safe.
Were there any changes, cvs should have pointed them out.

Next step will be to up to OPENBSD_3_1 (the patch branch) and compare to
the patches.  Hrm, easier would be to apply the patches individually and
compare to the patch branch using the same method above.  This will not
show OpenSSH issues, though, due to the OpenSSH upgrade in the patch branch.
Have to deal with OpenSSH separately.

That's the theory, at least. If my logic is flawed, -please- let me know.

Mike
-- 
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc