Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday February 05 2021, @03:23AM   Printer-friendly
from the we-don't-trust-m$ dept.

Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.

$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"

How to know if you're affected/infected already:

$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main

Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Tokolosh on Friday February 05 2021, @11:30PM (3 children)

    by Tokolosh (585) on Friday February 05 2021, @11:30PM (#1109450)

    Thank you very much. I ran your commands, see below. My understanding is that I have created an immutable microsoft gpg file, which prevents their repo being added.

    pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
    rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
    pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
    rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
    pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/sources.list.d/vscode.list
    chmod: cannot access '/etc/apt/sources.list.d/vscode.list': No such file or directory
    pi@raspberrypi:~ $ sudo chattr +i /etc/apt/sources.list.d/vscode.list
    chattr: No such file or directory while trying to stat /etc/apt/sources.list.d/vscode.list
    pi@raspberrypi:~ $ sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
    rm: cannot remove '/etc/apt/trusted.gpg.d/microsoft.gpg': No such file or directory
    pi@raspberrypi:~ $ sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
    pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/trusted.gpg.d/microsoft.gpg
    pi@raspberrypi:~ $ sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Informative) by MadTinfoilHatter on Saturday February 06 2021, @04:26AM (1 child)

    by MadTinfoilHatter (4635) on Saturday February 06 2021, @04:26AM (#1109507)

    Thank you very much. I ran your commands, see below. My understanding is that I have created an immutable microsoft gpg file, which prevents their repo being added.

    The idea was to create immutable versions of empty (and therefore harmless) versions of microsoft.gpg and vscode.list so that any process that tries to add or modify these files will fail.

    pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
    rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
    pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
    rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
    pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/sources.list.d/vscode.list
    chmod: cannot access '/etc/apt/sources.list.d/vscode.list': No such file or directory
    pi@raspberrypi:~ $ sudo chattr +i /etc/apt/sources.list.d/vscode.list
    chattr: No such file or directory while trying to stat /etc/apt/sources.list.d/vscode.list

    However here you went wrong. You copy-pasted the rm command twice, and missed the touch command, causing the last two commands to also have no effect. You should repeat the whole procedure (including rm) for vscode.list just to be safe. The only command that should possibly fail with an error message is the rm one (if you weren't infected when running the commands). The rest should go through with no comment as was the case for microsoft.gpg.

    • (Score: 2) by Tokolosh on Saturday February 06 2021, @02:34PM

      by Tokolosh (585) on Saturday February 06 2021, @02:34PM (#1109641)

      Thanks, and to unauthorized, too, for spotting my mistake.

  • (Score: 3, Informative) by unauthorized on Saturday February 06 2021, @05:23AM

    by unauthorized (3776) on Saturday February 06 2021, @05:23AM (#1109532)

    Your understanding is correct but your second command is wrong, you did rm (remove file) twice instead of using touch to create a blank file. Redo the first set of four commands and you'll be good. Only the first one should yield a "no such file" error.