Gentoo Linux Github Organization hacked and repo code compromised
A hacker managed to take control of the Github account for Gentoo Linux, going as far as inserting malicious code into the distros. The malware was designed to delete user data.
Although the situation is now under control, an investigation is underway to determine what happened. Anyone who has downloaded a Gentoo distro or other files recently, is warned to "refrain from using code from the Gentoo Github Organization" for the time being.
See also:
- Microsoft officially announces agreement to acquire GitHub in $7.5 billion deal
- Google releases open source 'GIF for CLI' terminal tool on GitHub
- Linux Mint Debian Edition (LMDE) 3 'Cindy' Beta coming next month
The situation is not as serious as it could have been, thanks to the fact that Github is used as a mirror for files on Gentoo's own infrastructure. Gentoo's own servers were not attacked, but this is still a serious security breach which is being looked into.
Gentoo Linux shared news of the hack on Twitter:
https://t.co/Mxtcxki9Ce
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. More see link.— Gentoo Linux (@gentoo) June 28, 2018
The organization also shared a tweet from data specialist Jeff Hubbs:
To clarify: this breach does NOT involve the infrastructure by which @Gentoo Linux distributes and updates its software packages. The GitHub repository is just a downstream mirror. https://t.co/y7fSnDayqo
— Jeff Hubbs (@jeffhubbs) June 28, 2018
In a post on the Gentoo Linux website, the Gentoo foundation said:
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.
This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.
Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.
All Gentoo commits are signed, and you should verify the integrity of the signatures when using git.
A later update said:
Update: 04:26 UTC. Gentoo has regained control of the Gentoo Github Organization. We are currently working with Github on a procedure for resolution. Please continue to refrain from using code from the Gentoo Github Organization. Development of Gentoo primarily takes place on Gentoo operated hardware (not on github) and remains unaffected. We continue to work with Github on establishing a timeline of what happened and we commit to sharing this with the community as soon as we can.
Anyone who downloaded images from Github recently is advised to either reinstall from scratch using images known to be clean, or to restore to a previous image.