Bug#726393: general: Possible malware infections in source packages
On Fri, 18 Oct 2013, Thorsten Glaser wrote: On Tue, 15 Oct 2013, Thijs Kinkhorst wrote: I'm still not sure why the virus contained in the source could not be replaced by the EICAR test signature. Because it’s not testing a virus scanner, but because the specific RFC822 message in question exhibited multiple problems in the code, due to the way it’s written/structured. Then we could just defang it for good, replacing most of the virus code with crap while preserving the malformedness. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
Jarkko Palviainen jarkko.palviainen at f-secure.com writes: I looked into one of these, libmail-deliverystatus-bounceparser- perl_1.531.orig.tar.gz, and found multipart email file containing zip attachment. Inside this archive is a .pif file (PE32 executable for MS Windows) which is detected as Win32.Worm.Mytob.EF. This doesn't look like a false positive. And yet, it’s totally legit: the file in question is an eMail archive of a mail containing such virus for other platform, in order to test against it so that the Perl script in question doesn’t exhibit any bugs wrt. that. I hope that the source packages would be sanitized from any actual malware samples. It’s not Malware if you’re running Debian. bye, //mirabilos -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian..org Archive: http://lists.debian.org/loom.20131015t172545-...@post.gmane.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
On Tue, 15 Oct 2013, Thijs Kinkhorst wrote: I'm still not sure why the virus contained in the source could not be replaced by the EICAR test signature. Because it’s not testing a virus scanner, but because the specific RFC822 message in question exhibited multiple problems in the code, due to the way it’s written/structured. At least this is how I read the relevant comments. @Natureshadow: this isn’t exactly code, and it’s even in the preferred form of modification (an RFC822-format message)… bye, //mirabilos -- 15:41⎜Lo-lan-do:#fusionforge Somebody write a testsuite for helloworld :-) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
* Dominik George: It isn't a false positive in that regard that the package *does* in fact contain the virus sample. That's non-free code and not suitable for main, so it must be removed from the source tarball anyway. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
Package: general Severity: normal Some of the source packages were caught on a gateway anti-virus scanner while downloading. These are the exact downloads: http://ftp.fi.debian.org/debian/pool/main/libm/libmime-explode-perl/libmime- explode-perl_0.39.orig.tar.gz http://ftp.fi.debian.org/debian/pool/main/p/pymilter/pymilter_0.9.5.orig.tar.gz http://ftp.fi.debian.org/debian/pool/main/libm/libmail-deliverystatus- bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.531.orig.tar.gz http://ftp.fi.debian.org/debian/pool/main/l/linkchecker/linkchecker_7.9.orig.tar.bz2 I also uploaded the archives to virustotal.com for scanning with multiple vendors: https://www.virustotal.com/en/file/2403530b352c591464b96b37173031749c993967ed6e1375b6d295ef84576ac9/analysis/ https://www.virustotal.com/en/file/2edb67ca8b8831991d7ba24092829e775355e5a35aeae61cac52de0dc82b2fd5/analysis/ https://www.virustotal.com/en/file/af45514ed8ad5491c8dd1d682a5061c79f624e1789abef3f27e92bcd3653c052/analysis/ https://www.virustotal.com/en/file/7bb478a4f9512e1dfe77c658f0410d62d9af91cedc35ee7aaaff6bc9a56d7f85/analysis/ I looked into one of these, libmail-deliverystatus-bounceparser- perl_1.531.orig.tar.gz, and found multipart email file containing zip attachment. Inside this archive is a .pif file (PE32 executable for MS Windows) which is detected as Win32.Worm.Mytob.EF. This doesn't look like a false positive. I hope that the source packages would be sanitized from any actual malware samples. -- System Information: Debian Release: 7.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
Hi, I have looked into this a bit. Some of the source packages were caught on a gateway anti-virus scanner while downloading. Using a gateway anti-virus scanner for downloads from the Debian archive seems a bit inappropriate, well, paranoid. Checking the signed hashsums would seem a lot better to verify the downloads; if Debian's infrastructure were compromised so viruses could get in *and* be signed, we and you have other problems. http://ftp.fi.debian.org/[...] If you suspect an issue with the Debian archive, please test against ftp.debian.org. I looked into one of these, libmail-deliverystatus-bounceparser- perl_1.531.orig.tar.gz, and found multipart email file containing zip attachment. Inside this archive is a .pif file (PE32 executable for MS Windows) which is detected as Win32.Worm.Mytob.EF. Yes, and the package carries it because it needs it in its operation. Have you read the README file? This doesn't look like a false positive. It isn't a false positive in that regard that the package *does* in fact contain the virus sample. However, it *is* a false positive, as the sample is there intentionally, and no virus scanner can guess the reason why it is there. It does no harm in the location where it is, it will not spread, so is it in fact a virus? No, it isn't. I hope that the source packages would be sanitized from any actual malware samples. If a package has to contain virus samples for its operation, then how should anyone sanitize it? You just found one more reason why anti-virus sucks. (JM2C, I am not a Debian release engineer or DD.) Cheers, Nik -- burny Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)! PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Bug#726393: general: Possible malware infections in source packages
Pymilter is a false positive. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
On Tue, October 15, 2013 12:54, Dominik George wrote: I looked into one of these, libmail-deliverystatus-bounceparser- perl_1.531.orig.tar.gz, and found multipart email file containing zip attachment. Inside this archive is a .pif file (PE32 executable for MS Windows) which is detected as Win32.Worm.Mytob.EF. Yes, and the package carries it because it needs it in its operation. Have you read the README file? I have in fact read the README and it doesn't seem to mention anything about this, it doesn't even have the word virus at all. This doesn't look like a false positive. It isn't a false positive in that regard that the package *does* in fact contain the virus sample. However, it *is* a false positive, as the sample is there intentionally, and no virus scanner can guess the reason why it is there. It does no harm in the location where it is, it will not spread, so is it in fact a virus? No, it isn't. I'm missing why the package cannot use the EICAR test virus signature for its purposes. Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote: It isn't a false positive in that regard that the package *does* in fact contain the virus sample. However, it *is* a false positive, as the sample is there intentionally, and no virus scanner can guess the reason why it is there. It does no harm in the location where it is, it will not spread, so is it in fact a virus? No, it isn't. I'm missing why the package cannot use the EICAR test virus signature for its purposes. In libmail-deliverystatus-bounceparser-perl case, the virus is used on the non-regressions test which are shipped in the original tarball (and in Debian *source* package). This virus is *not* shipped in Debian binary package. HTH -- https://github.com/dod38fr/ -o- http://search.cpan.org/~ddumont/ http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
On Tue, October 15, 2013 14:09, Dominique Dumont wrote: In libmail-deliverystatus-bounceparser-perl case, the virus is used on the non-regressions test which are shipped in the original tarball (and in Debian *source* package). This virus is *not* shipped in Debian binary package. I'm still not sure why the virus contained in the source could not be replaced by the EICAR test signature. Setting off false positive alarms masks true positives so should be avoided as much as possible. The EICAR test signature exists exactly for the purpose of tests. I would consider any other virus sample shipped by Debian, beit source or binary, a bug and I invite Jarkko to report them as such against the respective packages, so they can be solved in coordination with their upstreams. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
On 10/15/2013 03:09 PM, Dominique Dumont wrote: On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote: It isn't a false positive in that regard that the package *does* in fact contain the virus sample. However, it *is* a false positive, as the sample is there intentionally, and no virus scanner can guess the reason why it is there. It does no harm in the location where it is, it will not spread, so is it in fact a virus? No, it isn't. I'm missing why the package cannot use the EICAR test virus signature for its purposes. In libmail-deliverystatus-bounceparser-perl case, the virus is used on the non-regressions test which are shipped in the original tarball (and in Debian *source* package). This virus is *not* shipped in Debian binary package. HTH OK, you have already closed the ticket. I was expecting to find a general policy of maintainers should not allow malware from upstream but apparently this not desired or the discussion belongs to somewhere else. It doesn't really matter what is the intention; you are still allowing spreading malware and potentially infecting users as they are publicly accessible. Just fetching the source package will give you this nice surprise. In most cases, samples can be replaced with EICAR or equivalent to trigger the expected result, or tested with unit tests and proper mocking. -- Jarkko Palviainen Software Engineer, Linux Team F-Secure Corporation -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: general: Possible malware infections in source packages
On 2013-10-15 11:54, Dominik George wrote: [Jarkko Palviainen; attribution lost in quoted mail] http://ftp.fi.debian.org/[...] If you suspect an issue with the Debian archive, please test against ftp.debian.org. That's not particularly great advice. ftp.debian.org is just another mirror[tm]; see the where to mirror from section of http://www.debian.org/mirror/ftpmirror Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: Info received (Bug#726393: general: Possible malware infections in source packages)
Boots fine if the image is not persistent. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726393: Info received (Bug#726393: general: Possible malware infections in source packages)
Scott Kitterman skl...@kitterman.com wrote: Boots fine if the image is not persistent. Sorry. Wrong bug. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org