| View previous topic :: View next topic |
| Author |
Message |
xanderal
Tux's lil' helper
Joined: 06 Mar 2019
Posts: 133
Location: Germany
|
 Posted: Sun Jun 23, 2019 7:42 pm Post subject: [SOLVED] possible compromised distfile |
 |
|
Hi,
as far as I understand the source code lives in DISTDIR (as set in make.conf), right?
So it shouldn't be a problem to delete a file in there of something I already installed?
Problem is that clamav flags one of them as problematic but a lot of packages depend on the (possibly compromised) package...
Last edited by xanderal on Fri Jul 19, 2019 8:01 am; edited 1 time in total |
|
| Back to top |
|
 |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9890
Location: almost Mile High in the USA
|
| Posted: Sun Jun 23, 2019 8:22 pm Post subject: |
|
|
DISTDIR is a download directory where portage stores files and extracts them on build. Files there are checked by the checksums stored in the portage tree. The portage tree is now signed. So you do have implicit protection from corruption in DISTDIR. You can safely remove files from there - portage will automatically redownload files stored there as needed. A took called "eclean" in app-portage/gentoolkit cam be used to clean up old files.
Clamav is a special case. A default set of signature files can be downloaded/used from the distribution, but freshclam can download new signature files outside of portage, and now portage does not know if the files were corrupted or not post installation - it assumes so because they no longer match what they were initially installed with.
However freshclam should not be downloading to DISTDIR...what is the exact error and what program is reporting the corruption?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
xanderal
Tux's lil' helper
Joined: 06 Mar 2019
Posts: 133
Location: Germany
|
| Posted: Sun Jun 23, 2019 8:42 pm Post subject: |
|
|
| eccerr0r wrote: | | DISTDIR is a download directory where portage stores files and extracts them on build. Files there are checked by the checksums stored in the portage tree. The portage tree is now signed. So you do have implicit protection from corruption in DISTDIR. You can safely remove files from there - portage will automatically redownload files stored there as needed. A took called "eclean" in app-portage/gentoolkit cam be used to clean up old files. |
That was what I was hoping for - thanks for the explanation.
| eccerr0r wrote: | Clamav is a special case. A default set of signature files can be downloaded/used from the distribution, but freshclam can download new signature files outside of portage, and now portage does not know if the files were corrupted or not post installation - it assumes so because they no longer match what they were initially installed with.
However freshclam should not be downloading to DISTDIR...what is the exact error and what program is reporting the corruption? |
As far as I can tell freshclam didn't download to DISTDIR. I just scanned / recursively and clamav complained about gdk-pixbuf and emerge -pv --depclean gdk-pixbuf shows that it is being pulled in by about 20 packages. That's why I wanted to start by removing the distfile and not by unmerging gdk-pixbuf. |
|
| Back to top |
|
|
Jaglover
Watchman
Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana
|
|
| Back to top |
|
|
xanderal
Tux's lil' helper
Joined: 06 Mar 2019
Posts: 133
Location: Germany
|
| Posted: Sun Jun 23, 2019 8:49 pm Post subject: |
|
|
| Jaglover wrote: | | Probably false positive. I doubt your distfile(s) are actually compromised. |
You might be right. What I can say is that I reinstalled gentoo a couple of days ago (for unrelated reasons) and clamav flagged that file on the earlier gentoo install, too.
So, if you're right, clamav has had this false positive for at least a couple of weeks (yes, I didn't react all that fast...) |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Jun 24, 2019 3:33 am Post subject: |
|
|
ClamAV is detecting a GIF testcase for a fix for the exploit it was supposed to be protecting from.
This antivirus software is worse than useless… if it were taken as truth, you would now be running software vulnerable to that malware. And would most likely be completely unprotected: who scans every image they encounter on the internet before viewing it? |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9890
Location: almost Mile High in the USA
|
| Posted: Mon Jun 24, 2019 3:52 am Post subject: |
|
|
| Ant P. wrote: | | who scans every image they encounter on the internet before viewing it? |
And that's why McAfee is so slow...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
xanderal
Tux's lil' helper
Joined: 06 Mar 2019
Posts: 133
Location: Germany
|
| Posted: Fri Jul 19, 2019 8:01 am Post subject: |
|
|
| eccerr0r wrote: | | You can safely remove files from there - portage will automatically redownload files stored there as needed |
Thanks. I deleted the file and everything is good now  |
|
| Back to top |
|
|
|
Networking & Security
