This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

hacked package on server


I performed a cygwin update today, and was confronted with an MD5 failure on one of the packages.

The package was vim-7.1-1.tar.bz2 downloaded from mirrors.dotsrc.org

As the package installed, I saw some strange behavior, I'm worried it might have been some kind of trojan.

I saved the hacked package file in case a cygwin developer wants to see it. I was able to get the vim-7.1-1.tar.bz2 from another server with the correct MD5.

The correct md5:
df543517110fa14fcc13a207ef721459 *vim-7.1-1.tar.bz2

The md5 of the hacked package:
43f00ebc2964d7c84fde7b7150f1b3a5 *vim-7.1-1.tar.bz2-HACKED


I also have a complaint: the dialog that notifies the user of the failed MD5 is not well designed. The dialog asks "Do you want to skip the package?" and has a yes and no button. I read it quickly and pressed no before thinking about it, the package went ahead and tried to install. I think there should be a little more effort to restrain the user from performing a dangerous action such as installing a package with a wrong MD5.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]