LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Arch
User Name
Password
Arch This Forum is for the discussion of Arch Linux.

Notices


Reply
  Search this Thread
Old 07-11-2018, 06:13 PM   #1
ChuangTzu
Senior Member
 
Registered: May 2015
Location: Where ever needed
Distribution: Slackware/Salix, FreeBSD
Posts: 1,065

Rep: Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835
Post Arch Linux AUR Repository Found to Contain Malware


I attempted to post this in the Linux News section but it appears that it was not approved for posting....

"The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories..."

https://sensorstechforum.com/arch-li...ntain-malware/
https://www.bleepingcomputer.com/new...ge-repository/
https://betanews.com/2018/07/11/arch-linux-malware/
https://www.linuxuprising.com/2018/0...epository.html
 
Old 07-11-2018, 08:06 PM   #2
Timothy Miller
Moderator
 
Registered: Feb 2003
Location: Arizona, USA
Distribution: Debian, Fedora, Arch, & KDE Neon
Posts: 2,842

Rep: Reputation: 827Reputation: 827Reputation: 827Reputation: 827Reputation: 827Reputation: 827Reputation: 827
I'm an Arch user and I have to say that my level of surprise is...none.
 
Old 07-11-2018, 10:44 PM   #3
un1x
Member
 
Registered: Oct 2015
Posts: 644

Rep: Reputation: Disabled
NADA on its front page !

https://aur.archlinux.org/

perhaps 'FUD' ? ? ?
 
Old 07-11-2018, 11:54 PM   #4
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 17,177

Rep: Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629Reputation: 2629
Long time Arch user, and I'm very surprised it didn't make the news on the front page. Seems unless you are subscribed to the AUR specific mail lists you don't need to know.
Bloody strange attitude IMHO.

I don't use AUR much, but it looks like damn near everyone uses one of the helper tools. Myself excluded of course.
 
Old 07-12-2018, 04:29 AM   #5
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 9,975
Blog Entries: 7

Rep: Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465
this is FUD, or maybe just trying to blow up what is essentially not news at all.
  • the title is misleading: it's not the AUR itself that's compromised, but one (or several) packages therein
  • that package is acroread. an adobe proprietary software reads & transmits my personal data? can't say i'm surprised...
  • the nature of AUR is such. no need to mention it on the frontpage; everybody who uses AUR packages should know this. excerpt from here:
    Quote:
    Warning: Carefully check all files. Carefully check the PKGBUILD and any .install file for malicious commands. PKGBUILDs are bash scripts containing functions to be executed by makepkg: these functions can contain any valid commands or Bash syntax, so it is totally possible for a PKGBUILD to contain dangerous commands through malice or ignorance on the part of the author. Since makepkg uses fakeroot (and should never be run as root), there is some level of protection but you should never count on it. If in doubt, do not build the package and seek advice on the forums or mailing list.
    I should add: Don't blindly trust binary packages, either.

...or, as ChuangTzu quoted correctly:
This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories...

Last edited by ondoho; 07-12-2018 at 04:30 AM.
 
2 members found this post helpful.
Old 07-12-2018, 03:47 PM   #6
un1x
Member
 
Registered: Oct 2015
Posts: 644

Rep: Reputation: Disabled
WHY spreadin FUD ? ? ? nonsense !

Code:
ChuangTzu
"The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories..."
 
Old 07-13-2018, 02:58 AM   #7
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 9,975
Blog Entries: 7

Rep: Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465Reputation: 2465
what happened is someone took over an orphaned package & made malicious changes to the PKGBUILD. the fact that they could do that is totally normal and does NOT indicate that the AUR itself is compromised or anything. nobody claimed that either, but i'm just making sure that people understand what is happening here.

if you know what the AUR is and how it works, this is really no surprise at all.

one is not supposed to trust these packages explicitely.

i usually go by votes & popularity & comments.
if something is off, people notice very quickly (comments) and take appropriate action (thanks to archlinux' concept of Trusted Users this is possible).

Btw, all this was fixed 1-3 days BEFORE these articles even came out.

PS: of the four links in post #1 i found this one most informative. it's all there if one cares to read beyond a few buzzwords.

PPS: my original assessment that it's the acroread program itself that is the malware, was wrong. once again, read the article.

Last edited by ondoho; 07-13-2018 at 03:00 AM.
 
Old 07-13-2018, 09:44 AM   #8
un1x
Member
 
Registered: Oct 2015
Posts: 644

Rep: Reputation: Disabled
https://distrowatch.com/dwres.php?re...ine&story=6389

Quote:
People who run Arch Linux, or one of its many derivatives, received a reminder last week that while the Arch User Repository (AUR) is a convenient way to access a large number of software packages, the packages in that repository can come from anywhere and should not be blindly trusted. Sensors Tech Forum reports: "Linux users of all distributions have received a major warning not to explicitly trust user-run software repositories following the latest incident related to Arch Linux. The project's user-maintained AUR packages (which stands for Arch User Repository) have been found to host malware code in several instances. Fortunately a code analysis was able to discover the modifications in due time - only several days after the dangerous code was placed in the app installation instructions. The security investigation shows that shows that a malicious user with the nick name xeactor modified in June 7 an orphaned package (software without an active maintainer) called acroraed. The changes included a curl script that downloads and runs a script from a remote site. This installs a persistent software that reconfigures systemd in order to start periodically. While it appears that they are not a serious threat to the security of the infected hosts, the scripts can be manipulated at any time to include arbitrary code. Two other packages were modified in the same manner." Most Linux distribution have optional add-on repositories where community members can upload scripts or packages. These third-party items should be audited before being installed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Arch Linux AUR Repository Found to Contain Malware ChuangTzu Linux - News 0 07-10-2018 06:24 PM
LXer: Malware Found On The Arch User Repository (AUR) LXer Syndicated Linux News 0 07-09-2018 09:45 PM
LXer: Yaourt is Dead! Use These Alternatives for AUR in Arch Linux LXer Syndicated Linux News 0 06-23-2018 06:45 PM
LXer: Arch Linux's AUR Will Be Migrated to a Git-Based Platform Starting June 8 LXer Syndicated Linux News 0 06-02-2015 12:00 PM
I am trying to compile x264 on arch linux with an AUR script, yet . . . darkstarbyte Arch 8 11-05-2011 06:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Arch

All times are GMT -5. The time now is 10:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration