Translate: 
EnglishFrenchGermanItalianPolishPortugueseRussianSpanish

Kernel.org has been hacked… Google requested to take android repo offline.

This hack was discovered on August 28th. Currently all kernel.org boxes are offline to do a backup and are in the process of doing complete reinstalls.

How the hackers managed to gain root access is currently unknown and is being investigated. The maintainers of kernel.org are in the process of doing an analysis on the code within git, and the tarballs to confirm that nothing has been modified.

Until then, say goodbye to the Android repository:

[root@localhost WORKING_DIRECTORY]# repo sync
android.git.kernel.org[0: 130.239.17.13]: errno=Connection refused
android.git.kernel.org[0: 199.6.1.173]: errno=Connection refused
android.git.kernel.org[0: 2001:6b0:e:4017:1972:112:1:0]: errno=Network is unreachable
android.git.kernel.org[0: 2001:500:60:10:1972:112:1:0]: errno=Network is unreachable
fatal: unable to connect a socket (Network is unreachable)
error: Cannot fetch platform/bionic

One of the Linux Kernel developers, Jon Corbet stated that:

Kernel.org may seem like the place where kernel development is done, but it’s not; it’s really just a distribution point. So when we say that we know the kernel source has not been compromised on kernel.org, we really know it.

Neverthless I hope that you checked the PGP signatures after downloading source codes from kernel.org repositories, because these files could be altered by hackers.

From a pure git perspective, the hackers will have a very hard time rewriting any commit history, as changing a commit’s SHA1 hash will trigger a cascading effect on the hashes of all child commits, so anyone with an existing clone of the repos would immediately know the repo has been corrupted when doing a pull.

Unfortunately while you can’t modify GPG signed tag commits, you can modify non signed commits (aka any commit that isn’t a tag) and it’ll get signed when it gets tagged.

You can read the official annoucement here.

For Android developers: You can always try to use the github alternative at https://github.com/android or read my tutorial, on how to get the Android source codes.

Tags:

11 Responses to “Kernel.org has been hacked… Google requested to take android repo offline.”

  1. Artur Graniszewski says:

    Please note: as I already mentioned, the Android repo is offline, in order to access the backup of Android source codes you can use the github alternative repo, my tutorial, or online google code search tool:

    http://www.google.com/codesearch/p?hl=en#cZwlSNS7aEw/

    However, using the latter would be very impractical.

  2. [...] próprio Google foi solcitado a retirar os repositórios do Android do ar, pois não se sabe a extensão da [...]

  3. billy says:

    Thanks for the information and it works for me. Please allow me to disturb you with another question: How to get the 32-bit lib? I am using Ubuntu 11.04 and I can’t get the following libs: lib32ncurses5-dev, ia32-libs, lib32readline5-dev and lib32z-dev. I have tried almost all major repository servers. Any ideas on how to get those libraries? thanks. billy

  4. Artur Graniszewski says:

    @billy:

    try to use “apt-get install ia32-libs”

  5. Reader says:

    “Unfortunately while you can’t modify GPG signed tag commits, you can modify non signed commits (aka any commit that isn’t a tag) and it’ll get signed when it gets tagged.”

    wtf?

  6. Artur Graniszewski says:

    @Reader:

    It’s simple, not every commit in android repo is GPG signed, only tags are. So, a hacker could easily taint the Android source code in one of the different branches and wait for a potential victim to commit those changes when promoting that branch into a tag. In that case, the new, tainted tag would be GPG signed by a valid, unaware user.

    You can read how this works here: http://book.git-scm.com/3_git_tag.html

  7. neelesh says:

    hey how can i get coustom rom for lg optimus me???

  8. Amit says:

    I downloaded the froyo branch but compilation fails and it downloaded successfully.

    Any help would be really great

    developer@ubuntu:~/android_froyo$ make
    ============================================
    PLATFORM_VERSION_CODENAME=REL
    PLATFORM_VERSION=2.2.2
    TARGET_PRODUCT=generic
    TARGET_BUILD_VARIANT=eng
    TARGET_SIMULATOR=false
    TARGET_BUILD_TYPE=release
    TARGET_BUILD_APPS=
    TARGET_ARCH=arm
    HOST_ARCH=x86
    HOST_OS=linux
    HOST_BUILD_TYPE=release
    BUILD_ID=FRG83G
    ============================================
    build/core/base_rules.mk:108: user tag on app Stk at packages/apps/Stk – add your app to core.mk instead
    external/webkit/Android.mk:79: external/webkit/bison_check.mk: No such file or directory
    external/webkit/Android.mk:214: external/webkit/WebKit/Android.mk: No such file or directory
    external/webkit/Android.mk:374: external/webkit/WebKit/android/wds/client/Android.mk: No such file or directory
    external/webkit/Android.mk:377: external/webkit/WebKit/android/benchmark/Android.mk: No such file or directory
    external/webkit/Android.mk:380: external/webkit/WebKitTools/android/webkitmerge/Android.mk: No such file or directory
    build/core/copy_headers.mk:15: warning: overriding commands for target `out/target/product/generic/obj/include/libpv/getactualaacconfig.h’
    build/core/copy_headers.mk:15: warning: ignoring old commands for target `out/target/product/generic/obj/include/libpv/getactualaacconfig.h’
    build/core/base_rules.mk:69: unusual tags none on e2fsck_static at external/e2fsprogs/e2fsck
    build/core/base_rules.mk:69: unusual tags none on mke2fs_static at external/e2fsprogs/misc
    build/core/base_rules.mk:69: unusual tags none on tune2fs_static at external/e2fsprogs/misc
    build/core/base_rules.mk:69: unusual tags systembuilder on badblocks at external/e2fsprogs/misc
    build/core/base_rules.mk:108: user tag on app QualcommSoftAP at packages/apps/QualcommSoftAP – add your app to core.mk instead
    make: *** No rule to make target `external/webkit/WebKitTools/android/webkitmerge/Android.mk’. Stop.

  9. Reader says:

    @Artur

    Thank you for your response.

    A malicious user could easily add a harmful commit to an arbitrary branch or rewrite an existing one… But why would the potential victim be unaware of this when tagging it? You yourself stated that this “… will trigger a cascading effect on the hashes of all child commits, so anyone with an existing clone of the repos would immediately know …”?

    Doesn’t the “unfortunate” case you’re hinting only arise if we assume that either trusted users blindly sign anything, or they blindly merge contributed commits?

  10. Artur Graniszewski says:

    @Reader:

    Well, in ideal world everyone would check the PGP signatures and sign new branches only after checking commit history. Unfortunately, in reality many people use shortcuts to make their work easier (they use simple passwords shared across different sites/servers, run unpatched operating systems and open malicious attachements in emails).

    “A chain is only as strong as its weakest link”.
    For example: let’s say that the malicious user obtained a regular account in git repository. He can change the source code line by line in regular intervals (just after someone’s else commits). In this case, trusted users auditing the changes would not be alerted, because every single change in the commit history would not be critical to the security of the entire application (you would have to audit whole files or directories to see the whole picture). After few such commits, a trusted, well known person promotes a branch to a tag, and signs it with his own signature (because he’s sure, that every >single< commit was checked before by other people).

  11. John Galt says:

    try to use “apt-get install ia32-libs” I used it and it worked fine. thanks

    Relator Websites

Leave a Reply