|
|
Subscribe / Log in / New account

Malware found in the Arch Linux AUR repository

[Posted July 10, 2018 by corbet]

Here's a report in Sensors Tech Forum on the discovery of a set of hostile packages in the Arch Linux AUR repository system. AUR contains user-contributed packages, of course; it's not a part of the Arch distribution itself. "The security investigation shows that shows that a malicious user with the nick name xeactor modified in June 7 an orphaned package (software without an active maintainer) called acroread. The changes included a curl script that downloads and runs a script from a remote site. This installs a persistent software that reconfigures systemd in order to start periodically. While it appears that they are not a serious threat to the security of the infected hosts, the scripts can be manipulated at any time to include arbitrary code. Two other packages were modified in the same manner." This thread in the aur-general list shows the timeline of the discovery and response.
to post comments

Packages affected

Posted Jul 11, 2018 8:51 UTC (Wed) by rengolin (guest, #48414) [Link] (2 responses)

In case people are looking for, this is the list of the affected packages:
* acrored 9.5.5-8
* balz 1.20-3
* minergate 8.1-2

Source: https://lists.archlinux.org/pipermail/aur-general/2018-Ju...

Packages affected

Posted Jul 11, 2018 11:50 UTC (Wed) by jak90 (subscriber, #123821) [Link] (1 responses)

It seems "acrored" is a typo for the Adobe Reader package (acroread) that's sitting back at package version 9.5.5-7 (if one even dares to use this native version of the application, which is no longer supported by or officially available from Adobe).
Likewise, submitting "mistyped" packages would seem like a viable compromise vector as well.

Packages affected

Posted Jul 12, 2018 11:50 UTC (Thu) by feb (guest, #60129) [Link]

That's a typosquatting attack which LWN talked about a few years ago (https://lwn.net/Articles/694830/). In the case of Arch AUR packages, there's also the idea of targetting orphaned packages.

Malware found in the Arch Linux AUR repository

Posted Jul 12, 2018 12:15 UTC (Thu) by XTerminator (subscriber, #59581) [Link]

It is not a surprise that a publically accessible repository contains malware. There is no vetting involved in creating an AUR account nor in submitting packages to it. AUR == caveat emptor. Always check what you are getting.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds