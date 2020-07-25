https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/
https://archive.ph/jwPRg
On the 16th of July, at around 8pm UTC+2, a malicious AUR package was
uploaded to the AUR. Two other malicious packages were uploaded by the
same user a few hours later. These packages were installing a script
coming from the same GitHub repository that was identified as a Remote
Access Trojan (RAT).
The affected malicious packages are:
- librewolf-fix-bin
- firefox-patch-bin
- zen-browser-patched-bin
The Arch Linux team addressed the issue as soon as they became aware of
the situation. As of today, 18th of July, at around 6pm UTC+2, the
offending packages have been deleted from the AUR.
We strongly encourage users that may have installed one of these
packages to remove them from their system and to take the necessary
measures in order to ensure they were not compromised.
/r/linux Discussion: http://old.reddit.com/r/linux/comments/1m3wodv/malware_found_in_the_aur/
/r/archlinux Discussion: https://old.reddit.com/r/archlinux/comments/1m387c5/aurgeneral_security_firefoxpatchbin/
(Score: 5, Interesting) by bzipitidoo on Monday July 21, @03:57AM (5 children)
I wonder if the sheer quantity of code is beginning to get away from us. The lines of code in a modern OS is over a billion. The Linux kernel is 40 million lines, Firefox is 32 million. That's a heck of a lot of code in which to hide something malicious.
Takes an army of developers to maintain that, and among the many thousands it is too much to expect there won't be a single one who turns treacherous.
One thing I've been observing whenever I am obliged to watch a movie is just how very many people are listed in the credits at the end. Takes thousands of people to make a movie. Many of them do computer graphics work that has become so integral to modern movie making.
(Score: 3, Interesting) by Ingar on Monday July 21, @06:54AM (4 children)
The problem isn't in the code, these are binary packages. You only install them as a last resort.
Firefox is also in the main arch repository, so I don't even see a reason why one would install this binary patched version.
Love is a three-edged sword: heart, mind, and reality.
(Score: 3, Interesting) by Ox0000 on Monday July 21, @04:28PM
Because the marks have been trained to be afraid of software that's unpatched (regardless of whether it's needed, what the patch is, what it does, who made the patch, etc...). Because the marks have probably been on the MSFT treadmill of "It's patch Tuesday, keep your machines up to date or you'll get pwned by evil-doers, never skip a path and install them religiously, not patching will lead to untold badness(tm)". Because the software industry has been cranking out shit product that needs to be continually patched and the marks crave that hit of getting something, ANYTHING patched.
These marks must have seen 'patched' and gone "it's patched, surely it must be more better-er and be higher secure-er".
(Score: 3, Informative) by epitaxial on Monday July 21, @06:49PM (2 children)
https://en.wikipedia.org/wiki/Heartbleed [wikipedia.org]
It existed for two years before being found.
(Score: 2) by Ingar on Tuesday July 22, @09:35AM (1 child)
Love is a three-edged sword: heart, mind, and reality.
(Score: 2) by Ingar on Tuesday July 22, @09:52AM
And of course, I had to forget the preview button.
Love is a three-edged sword: heart, mind, and reality.