[aur-general] Backdoors in packages

Alexander Rødseth rodseth at gmail.com
Wed Aug 6 09:42:41 EDT 2014 

Hi,


When people install popular packages from AUR, I think the chances are
low that there is anything malicious there, because of the number of
people that will have read the PKGBUILD.

Of course, if upstream includes something malicious deep into the
source in a tarball, it could be somewhat harder to discover, but I
think this is unlikely. If someone would want to do this, they would
first have to either create a package with malicious components and
then try to make it popular (which is hard) or try to sneak in a patch
for an existing project, which is also hard. The number of obstacles
and number of eyes to pass by is relatively high (should be high
enough for someone to notice), and the malicious people would have to
be patient. I may be filled with prejudice towards malicious people,
but I believe them to be less patient than the average non-malicious
person.

I also think the official packages are safe. The number of steps a
malicious person would have to go through is high, and there is much
checking of what TUs/devs do from both other TUs/devs and the public.

Extreme patience and sneakiness would have to be employed for someone
to even be a little bit malicious with the most popular AUR packages
or the official packages. And even then, there are the filesystem
permissions, and other security measures in Linux, to overcome if a
malicious person is to do anything worthwhile (to the degree that
maliciousness could be worthwhile). People may even have installed
more fine grained security with something like SELinux, which would
render the endeavor even harder to accomplish.

The unpopular AUR packages are a completely different story. There
would be few eyes on both the upstream code and the PKGBUILDs and it
would be extremely easy to try to do something malicious. However,
just one dedicated Arch Linux user should be enough to check if it did
anything malicious, at least for types of maliciousness that is easy
to notice for the user, like deleting files or filling the harddrive
with pictures of ponies.

Of course, if the upstream sources was from a respected company or
organization, it would be easy to read the PKGBUILD and unlikely that
the sources contained anything malicious.

Back to the question: I don't know and haven't heard of any cases of
actual malice in any Arch Linux packages, neither official ones, nor
unofficial ones in AUR.

The worst case I encountered was an AUR package made by someone
clueless that cluttered all sorts of directories with misplaced files
at install time. This probably does not qualify as malicious, and the
package was swiftly removed from AUR.

When it comes to the safety of code, it can be really hard to tell if
it is malicious or safe just by reading it. There is a competition
called "The Underhanded C Contest" where people contend in hiding code
in code: http://underhanded.xcott.com/. And that's only for the
packages where the source is open! Who knows what upstream projects
with only binary files available might do.

The official Skype package has no available sources, only binary
files. According to a recent article by Ars Technica, Skype is vital
to NSA surveillance:
http://arstechnica.com/security/2014/05/encrypted-or-not-skype-communications-prove-vital-to-nsa-surveillance/.
The likelyhood that Skype is malicious in other ways than this is
probably low, but how can we know for sure? Even with the source code,
it would take quite a bit of time and effort to be 100% sure (ref. the
Underhanded C Contest).

If malicious and unpopular AUR packages would ever become a problem,
we could have some sort of required vetting (of the users and/or
packages in question) before the packages were made public. I really
hope it doesn't come to that. It would just be more work for everybody
involved, with little gains for the potentially malicious people.

One would think that the computers that the serious, malicious, sneaky
and patient people would target, would rather be the faster and more
well connected computers in the world, which are hopefully run by
people that care about security and won't install random packages from
AUR on their servers.

For now, I think the official packages and popular AUR packages are
safe, but be careful with the unpopular AUR packages.

-- 
Cheers,
  Alexander Rødseth / xyproto

More information about the aur-general mailing list