LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SquirrelMail 1.4.13 released - older versions compromised

SquirrelMail 1.4.13 released - older versions compromised

Posted Dec 18, 2007 2:59 UTC (Tue) by tetromino (subscriber, #33846)
In reply to: SquirrelMail 1.4.13 released - older versions compromised by wahern
Parent article: SquirrelMail 1.4.13 released - older versions compromised 

> The constraint that it must  "look reasonable to a casual human inspector" doesn't make
sense.

The constraint makes sense in the specific context of a php script. Too many times, I have
been bitten by an update to a webapp that broke my customized setup. Therefore, whenever I
install an update for a webapp, I look at the diff. Now, I am not a php expert and I don't
analyze it in detail, so it's quite likely that I will miss a subtle backdoor. However, if I
see 100000 lines of garbage that were introduced just to make the md5 sums coincide, I will
become extremely suspicious. I am sure thousands of other people who perform due diligence
when installing updates will notice the same thing.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds