Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
(Score: 5, Informative) by Anonymous Coward on Friday February 05 2021, @06:49AM (4 children)
You can pin packages to particular repos, so you can prevent anything except that one MS malware package from being able to be installed from MS repos*. This feature has existed for decades.
It is rare that Debian systems use 3rd party repos except local repos controlled by the user (using 3rd party repos defeats the point of a distribution where the packages are curated by the maintainers and trustworthy). But, apt is quite capable, and can handle this use case.
No package will be installed / upgraded from malware.microsoft.com unless you manually force it except, the package microsoft-vscode will auto upgrade from malware.microsoft.com unless a package of the same name is available from the main repo. Change Pin-Priority to change the policy to your liking. See 'man apt_preferences'
/etc/apt/preferences.d/microsoft-malware:
Package: *
Pin: origin malware.microsoft.com
Pin-Priority: 1
Package: microsoft-vscode
Pin: origin malware.microsoft.com
Pin-Priority: 500
Apt is extremely capable. If you find yourself wishing that apt could do X, it is quite probable that reading the docs you will find that apt already can do X.
Unless rasbian included a preference file like above, then I think that the criticism is warranted. Even if you think MS is fantastic and great, least privilege is safer, and not restricting what MS repo can install only adds risk.
*Usually pinning is used to safely mix stable, backports, testing, unstable and/or experimental packages on the same system, but you have to use common sense when doing this e.g., anything that pulls in glibc from unstable on a stable base system is not something that you can safely mix into your stable system even with pinning.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:03AM (2 children)
Thank you for the calm and informative post.
Would mod you up if I could.
Though I would denylist Package: * from origin malware.microsoft.com, myself.
(Score: 1) by jurov on Friday February 05 2021, @01:44PM (1 child)
it says "you have 10 points" so I selected "Informative", clicked Moderate..and nothing happened.
How it is supposed to work?
(Score: 2) by maxwell demon on Friday February 05 2021, @01:55PM
If the post is already at the maximum moderation (+5), then you cannot add another moderation. I can't tell whether that is what happened to you (no way to tell what the post's moderation status was at the time you tried to moderate), but it would be my guess.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @11:22PM
Informative post but one quibble. It is common to have a couple of repos for the odd package. The Debian Multimedia repo was almost mandatory for years because of licensing and patent problems. Small repos with SAS / RAID controller proprietary tools. SOme guy's personal repo with a testing version of a package you need. Etc.
And yes this is a good wake up call that any repo can override any base package with the default configuration. Some bad actor seizes any minor repo and they can inject a tainted base package like glibc or libssl into every machine that uses the repo. It is time for the defaults to be made safe.