[Reproducible-builds] Juniper ScreenOS backdoor

Steven Chamberlain steven at pyro.eu.org
Mon Dec 21 19:21:44 UTC 2015


One of the reproducible builds talk slides, showed a diff of OpenSSH
before and after some off-by-one vulnerability was fixed.

Here's a real-world malicious backdoor in Juniper ScreenOS's sshd:
The yellow highlighted string allows login as any user.  Full article:

Whilst this may have been added in source code, it was well-disguised in
the disassembly and just 7 instructions long.  I thought this was a good
example of the current state-of-the-art, and why we'd like our binaries
and eventually, installer and VM images reproducible IMHO.

Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20151221/c4eb13ca/attachment.sig>

More information about the Reproducible-builds mailing list