2

With over 30,000 projects packaged by Debian, it doesn't seem too unlikely that some of them may contain malware. On Ubuntu's side, the review process is apparently rather superficial, aimed at catching some negligent coding practices rather than intentional malware (I'm appalled by how askubuntu took those kinds of "reviews" to mean that Ubuntu is free of malware)

Was there ever any malware actually found in Debian/Ubuntu packages?

MWB
  • 303
  • 2
  • 11
  • Do you consider npm packages in-scope? – forest Jan 18 '21 at 05:04
  • @forest Does Debian "approve" them? – MWB Jan 18 '21 at 05:14
  • 1
    Debian's role in approving packages is minimal. I don't think they audit them directly since. – forest Jan 18 '21 at 05:17
  • I don't think it's happened, though there have been some close calls. Related: [Debian Investigation Report after Server Compromises](https://www.debian.org/News/2003/20031202), [What would happen if one of the popular Linux repositories is hacked?](https://security.stackexchange.com/q/14679/3365) – gowenfawr Jan 18 '21 at 05:19

2 Answers2

0

To my knowledge, there is no known case of malware in Debian. However, Gentoo (another Linux distro) shipped a backdoor, so this is not beyond the realm of possibility.

MWB
  • 303
  • 2
  • 11
  • 1
    It's debatable if that counts as "shipped". Yes, the Gentoo mirror servers were distributing the source code for a backdoored copy of "unrealircd", but they also distributed the checksum for the clean version, and Gentoo won't install the software unless the source code's checksum and the distributed checksum match. – Mark Dec 31 '21 at 11:01
  • @Mark The file was compromised *before* it entered the Gentoo system, according to [this comment](https://bugs.gentoo.org/323691#c19) by a security team member who also [wrote the announcement](https://lwn.net/Articles/392099/). – MWB Dec 31 '21 at 18:12
  • See https://blog.linuxmint.com/?p=2994 for an interesting read on how hackers compromised the web server for linuxmint.com in 2016 and created a link on the site to a malicious Linux Mint ISO. – mti2935 Dec 31 '21 at 22:41
  • @MWB the end result is malware ended up on end user computers whether it was before, during, or after – dcom-launch Jan 31 '22 at 22:18
0

This may need defining what you consider to be malware, as well as its scope. If an upstream package was compromised, and they made a release containing a malicious artifact, that could be picked and package by downstream distributions. Although in that case one could argue it is should be considered malware or it isn't a feature of Foobar program 13.0 that it <does evil things>.

Actually, just embedding some malicious code in the binary of upstream release would not be enough, since Debian will compile the package from source, so the malware should be present in the source code (the source code could embed a binary object, it would produce some automated warnings, but that might be missed by the Maintainer, so it's certainly a possibility). Ubuntu does the same as well for most packages, although that might not be the case for Restricted or Multiverse.

The most similar case I can think of is when Jamie Zawinski (JWZ) made its xdaliclock program run backwards after 31 Dec 1999 midnight, in a way that it looked like a y2k bug. He added on purpose that feature in a bunch of obfuscated code a long time in advance, so distros would picked the version with that easter egg by y2k epoch.

There was a post by JWZ telling that story, but I have been unable to find it. His current blog 'only' goes back to April 2002, it isn't mentioned either on xdaliclock page and general searches have failed me as well. ☹

Ángel
  • 17,578
  • 3
  • 25
  • 60