[aur-general] Backdoors in packages

Eugenio M. Vigo emvigo at gmail.com
Wed Aug 6 09:48:15 EDT 2014 

Alexander,
I'll post a link to your response wherever I can. Awesome explanation.
Cheers,
Eu.
El 06/08/2014 15:44, "Alexander Rødseth" <rodseth at gmail.com> escribió:

> Hi,
>
>
> When people install popular packages from AUR, I think the chances are
> low that there is anything malicious there, because of the number of
> people that will have read the PKGBUILD.
>
> Of course, if upstream includes something malicious deep into the
> source in a tarball, it could be somewhat harder to discover, but I
> think this is unlikely. If someone would want to do this, they would
> first have to either create a package with malicious components and
> then try to make it popular (which is hard) or try to sneak in a patch
> for an existing project, which is also hard. The number of obstacles
> and number of eyes to pass by is relatively high (should be high
> enough for someone to notice), and the malicious people would have to
> be patient. I may be filled with prejudice towards malicious people,
> but I believe them to be less patient than the average non-malicious
> person.
>
> I also think the official packages are safe. The number of steps a
> malicious person would have to go through is high, and there is much
> checking of what TUs/devs do from both other TUs/devs and the public.
>
> Extreme patience and sneakiness would have to be employed for someone
> to even be a little bit malicious with the most popular AUR packages
> or the official packages. And even then, there are the filesystem
> permissions, and other security measures in Linux, to overcome if a
> malicious person is to do anything worthwhile (to the degree that
> maliciousness could be worthwhile). People may even have installed
> more fine grained security with something like SELinux, which would
> render the endeavor even harder to accomplish.
>
> The unpopular AUR packages are a completely different story. There
> would be few eyes on both the upstream code and the PKGBUILDs and it
> would be extremely easy to try to do something malicious. However,
> just one dedicated Arch Linux user should be enough to check if it did
> anything malicious, at least for types of maliciousness that is easy
> to notice for the user, like deleting files or filling the harddrive
> with pictures of ponies.
>
> Of course, if the upstream sources was from a respected company or
> organization, it would be easy to read the PKGBUILD and unlikely that
> the sources contained anything malicious.
>
> Back to the question: I don't know and haven't heard of any cases of
> actual malice in any Arch Linux packages, neither official ones, nor
> unofficial ones in AUR.
>
> The worst case I encountered was an AUR package made by someone
> clueless that cluttered all sorts of directories with misplaced files
> at install time. This probably does not qualify as malicious, and the
> package was swiftly removed from AUR.
>
> When it comes to the safety of code, it can be really hard to tell if
> it is malicious or safe just by reading it. There is a competition
> called "The Underhanded C Contest" where people contend in hiding code
> in code: http://underhanded.xcott.com/. And that's only for the
> packages where the source is open! Who knows what upstream projects
> with only binary files available might do.
>
> The official Skype package has no available sources, only binary
> files. According to a recent article by Ars Technica, Skype is vital
> to NSA surveillance:
>
> http://arstechnica.com/security/2014/05/encrypted-or-not-skype-communications-prove-vital-to-nsa-surveillance/
> .
> The likelyhood that Skype is malicious in other ways than this is
> probably low, but how can we know for sure? Even with the source code,
> it would take quite a bit of time and effort to be 100% sure (ref. the
> Underhanded C Contest).
>
> If malicious and unpopular AUR packages would ever become a problem,
> we could have some sort of required vetting (of the users and/or
> packages in question) before the packages were made public. I really
> hope it doesn't come to that. It would just be more work for everybody
> involved, with little gains for the potentially malicious people.
>
> One would think that the computers that the serious, malicious, sneaky
> and patient people would target, would rather be the faster and more
> well connected computers in the world, which are hopefully run by
> people that care about security and won't install random packages from
> AUR on their servers.
>
> For now, I think the official packages and popular AUR packages are
> safe, but be careful with the unpopular AUR packages.
>
> --
> Cheers,
>   Alexander Rødseth / xyproto
>

More information about the aur-general mailing list