alt Hacker NewsFirefox-patch-bin, librewolf-fix-bin AUR packages contain malware
Comments
> We strongly encourage users that may have installed one of these packages […] to take the necessary measures in order to ensure they were not compromised.
How are they supposed to do that when you give them no information as to what the malware does?
Anyone have a copy of it that I can poke at in a virtual machine?
As Arch seemingly explodes in popularity I’m afraid we’ll start seeing more of this.
Any clue what these packages were 'supposed' to do or why somebody might have installed them? Their PKGBUILD descriptions are copies of the respective browsers', not explaining the -patched part.
Could there be programmatic ways to help users characterize the safety of the AUR packages they install? Perhaps a program that prints all URLs in the PKGBUILD and offers the option for the user to open them in the browser? Or which automatically shows a diff if a PKGBUILD is updated? Highlighting changes would make it easier for the user to determine if he should spend time exploring those changes for malware.
One could go even further and list all new commits, making it super easy for the user to check them. Maybe even integrate an LLM to help? Maybe commits from non long-time contributors could be flagged?
There has to be a way to help users programmatically review updates to their AUR packages. Even if most of them won't spend the time.
Man. I am on Fedora, but I do have a handful of copr packages installed. (Copr is the Fedora an analogue of the AUR.)
This makes me nervous. I guess it’s time to do some audits.
I wonder how popular these packages were. Librewolf and Firefox sure are popular, so this sounds scary, but for example searching for "firefox-patch-bin aur" yields no results, aside from sites talking about how it contained malware.
My impression is that the malice was spotted timely, and not many people were affected. Which is a pretty good thing!
it should be noted that these are different from the popular librewolf-bin (513 votes) and zen-browser-bin (176). with this in mind it's cool that these got identified only 2 days after being uploaded. I wonder if the reporter actually intended to install it or just reads the PKGBUILDS of new packages to be a good samaritan...
It seems odd that this is just on the AUR mailing list, and it the homepage, the announce list, or the security list.
i installed a lot of cra* from aur in the past, wouldn't be surprised if i got a malware somewhere. Strange thing, I don't think open snitch would even help in such situation..
and official repo does not have enough packages to run arch :\ I don't want to go back to ubuntu
There's always been this security theater of people recommending arch because they "don't trust the companies" or Canonical or what have you but frankly I'm surprised this hasn't happened sooner. Well or maybe it has and we don't know.
Running random binaries on your computer uploaded by some anonymous dude has to be the equivalent of buying heart medicine on craigslist. And because Arch is so barebones to begin with the AUR is very popular, you see a lot of arch users using it.
AUR packages are user-produced content i.e. packages built on their own machines.
They have to be installed via "pacman -U package_file"
Arch developers can code "pacman -U" such that it performs a VirusTotal scan before installation for each package.
VirusTotal's API is free.
- https://docs.virustotal.com/docs/api-scripts-and-client-libr... - https://docs.virustotal.com/docs/please-give-me-an-api-key - https://docs.virustotal.com/docs/consumption-quotas-handled
Since it is end users who are doing the upload and virus scan check, there won't be a consumption quota issue with VirusToal.
Lastly, "pacman -U" should flag failed VirusTotal scans to Arch Security.
Arch's pacman and Flathub's flatpak package managers should be the last line of defence when installing untrusted packages by end users.
Comments below is from the perspective of an arch Linux user, not maintainer or authors of some software.
When installing softwares on arch Linux, first searching for official packages provided by Arch Linux maintainers, then official installation methods approved by authors of the software, or AURs which do the installation in the exact way as the authors of the software describe.
A search on the default installation method of Firefox and librewolf package on arch Linux is listed below.
If AUR is required to install a package, note that AURs are not trusted by default because not all AURs are not maintained by trusted users. Always check the source file and the installation method documented in PKGBUILD. Don't do the installation until EVERY line in the PKGBUILD is reasonable.
https://wiki.archlinux.org/title/Firefox
https://librewolf.net/installation/arch/