Bug#726393: general: Possible malware infections in source packages
Package: general Severity: normal Some of the source packages were caught on a gateway anti-virus scanner while downloading. These are the exact downloads: http://ftp.fi.debian.org/debian/pool/main/libm/libmime-explode-perl/libmime- explode-perl_0.39.orig.tar.gz http://ftp.fi.debian.org/debian/pool/main/p/pymilter/pymilter_0.9.5.orig.tar.gz http://ftp.fi.debian.org/debian/pool/main/libm/libmail-deliverystatus- bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.531.orig.tar.gz http://ftp.fi.debian.org/debian/pool/main/l/linkchecker/linkchecker_7.9.orig.tar.bz2 I also uploaded the archives to virustotal.com for scanning with multiple vendors: https://www.virustotal.com/en/file/2403530b352c591464b96b37173031749c993967ed6e1375b6d295ef84576ac9/analysis/ https://www.virustotal.com/en/file/2edb67ca8b8831991d7ba24092829e775355e5a35aeae61cac52de0dc82b2fd5/analysis/ https://www.virustotal.com/en/file/af45514ed8ad5491c8dd1d682a5061c79f624e1789abef3f27e92bcd3653c052/analysis/ https://www.virustotal.com/en/file/7bb478a4f9512e1dfe77c658f0410d62d9af91cedc35ee7aaaff6bc9a56d7f85/analysis/ I looked into one of these, libmail-deliverystatus-bounceparser- perl_1.531.orig.tar.gz, and found multipart email file containing zip attachment. Inside this archive is a .pif file (PE32 executable for MS Windows) which is detected as Win32.Worm.Mytob.EF. This doesn't look like a false positive. I hope that the source packages would be sanitized from any actual malware samples. -- System Information: Debian Release: 7.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131015102815.23380.68872.report...@debian.f-secure.com
Bug#726393: general: Possible malware infections in source packages
On 10/15/2013 03:09 PM, Dominique Dumont wrote: On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote: It isn't a false positive in that regard that the package *does* in fact contain the virus sample. However, it *is* a false positive, as the sample is there intentionally, and no virus scanner can guess the reason why it is there. It does no harm in the location where it is, it will not spread, so is it in fact a virus? No, it isn't. I'm missing why the package cannot use the EICAR test virus signature for its purposes. In libmail-deliverystatus-bounceparser-perl case, the virus is used on the non-regressions test which are shipped in the original tarball (and in Debian *source* package). This virus is *not* shipped in Debian binary package. HTH OK, you have already closed the ticket. I was expecting to find a general policy of "maintainers should not allow malware from upstream" but apparently this not desired or the discussion belongs to somewhere else. It doesn't really matter what is the intention; you are still allowing spreading malware and potentially infecting users as they are publicly accessible. Just fetching the source package will give you this nice surprise. In most cases, samples can be replaced with EICAR or equivalent to trigger the expected result, or tested with unit tests and proper mocking. -- Jarkko Palviainen Software Engineer, Linux Team F-Secure Corporation -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/525d3ab6.4050...@f-secure.com
