LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Python-2.7.4 on mirrors marked as infected (http://www.linuxquestions.org/questions/slackware-14/python-2-7-4-on-mirrors-marked-as-infected-4175463773/)

the_penguinator 05-28-2013 10:16 AM

Python-2.7.4 on mirrors marked as infected
 
this is interesting

Quote:

ftp> open elektroni.phys.tut.fi
Connected to elektroni.phys.tut.fi.
...etc...
ftp> get Python-2.7.4.tar.xz
local: Python-2.7.4.tar.xz remote: Python-2.7.4.tar.xz
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Python-2.7.4.tar.xz (10250644 bytes).
550-Transfer failed. The file Python-2.7.4.tar.xz is infected with the virus W32/BZip.AGENT!tr. File quarantined as .
550 *
I wanted to reinstall this file as I was experiencing an inability to get the upgrade via slackpkg. Question though, if the file is compromised, why have they left it on the servers?

Thor_2.0 05-28-2013 10:20 AM

The other question is : if a file is infected with something that is clearly meant for the ***dows platform, and your PC (Linux) is configured not to be able to run it...does it pose a risk?

the_penguinator 05-28-2013 10:33 AM

Quote:

Originally Posted by Thor_2.0 (Post 4960601)
The other question is : if a file is infected with something that is clearly meant for the ***dows platform, and your PC (Linux) is configured not to be able to run it...does it pose a risk?

not to my slackbox I suppose, but you do install this Python file as root, and if the W32 malware unpacks itself and has the capability of running nmap, id's Winboxen and goes to work...but it is curious why some presumably W32 malware has been packed into a linux software package...

JohnB316 05-28-2013 11:02 AM

Quote:

Originally Posted by the_penguinator (Post 4960598)
this is interesting



I wanted to reinstall this file as I was experiencing an inability to get the upgrade via slackpkg. Question though, if the file is compromised, why have they left it on the servers?

Could the server you access have been compromised? It would be valuable to see whether you get the same error message from other Slackware mirrors. If the same package on other Slackware mirrors gives you the same warning message about virus infection, then there are other problems that TBDFL may need to investigate. :eek:

torimus 05-28-2013 11:16 AM

no time to investigate it but can anybody check if does match to the official signature ?

http://slackware.osuosl.org/slackwar...7.4.tar.xz.asc

Petri Kaukasoina 05-28-2013 11:47 AM

Did you run the ftp command on the Slackware box? Have you installed some kind of virus protection on that Slackware system?

If you run it on Slackware and have not installed virus protection, I bet you do not connect directly to elektroni.phys.tut.fi but your connection goes through some kind of virus "protection" middle box, with broken virus id database. That would explain your earlier problems, too.

Petri Kaukasoina 05-28-2013 11:57 AM

Quote:

Originally Posted by JohnB316 (Post 4960630)
Could the server you access have been compromised?

No. The MD5 checksum of Python-2.7.4.tar.xz checked locally at elektroni.phys.tut.fi is the same as listed in CHECKSUMS.md5. And gpg validates Python-2.7.4.tar.xz.asc as a good signature from "Benjamin Peterson <benjamin@python.org>".

gmgf 05-28-2013 12:03 PM

python-2.7.5 is available

changelog here:

http://hg.python.org/cpython/file/ab...2788/Misc/NEWS

Issue #17843: Removed test data file that was triggering false-positive virus
57 warnings with certain antivirus software.
58

the_penguinator 05-28-2013 12:11 PM

Quote:

Originally Posted by torimus (Post 4960644)
no time to investigate it but can anybody check if does match to the official signature ?

http://slackware.osuosl.org/slackwar...7.4.tar.xz.asc

the Python-2.7.4.tar.xz files on mirror.csclub.uwaterloo.ca and elektroni.phys.tut.fi do match the official signature of the file hosted at osuosl.org

volkerdi 05-28-2013 04:48 PM

False virus signature matches are quite common, though it's not quite as bad as it once was. Back when we were using .tgz it happened much more, probably because the viruses were using that compression scheme as well. A hit in an xz compressed file could be a sign that they're switching to that now. Most of the time the hits would come in the kde-l10n packages... the Russian package used to get hits all the time, probably on some common word or phrase that was nowhere near the unique signature the people working on the virus definition database thought it was.

I've probably been sent thousands of emails with subjects like "VIRUS found in Slackware!". I used to try to explain what was happening, but it was mostly useless. The reporter always had much more faith in their virus software than whatever I was saying, and even if I finally got them to understand then they often expected I'd help them convince the virus software people that a fix was needed (I did try this early on for a false hit on the Nutcracker virus, and found their ears were just as deaf).

In no case has one of these hits on Slackware files ever turned out to be real.

the_penguinator 05-29-2013 01:25 PM

Quote:

Originally Posted by volkerdi (Post 4960853)
False virus signature matches are quite common, -snip-.

In no case has one of these hits on Slackware files ever turned out to be real.

good to hear Pat, this is the first false positive I think I've ever encountered.


All times are GMT -5. The time now is 12:24 AM.