[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#726393: general: Possible malware infections in source packages

On 10/15/2013 03:09 PM, Dominique Dumont wrote:
On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote:
It isn't a false positive in that regard that the package *does* in fact
contain the virus sample. However, it *is* a false positive, as the
sample is there intentionally, and no virus scanner can guess the reason
why it is there. It does no harm in the location where it is, it will
not spread, so is it in fact a virus? No, it isn't.

I'm missing why the package cannot use the EICAR test virus signature for
its purposes.

In libmail-deliverystatus-bounceparser-perl case, the virus is used on the
non-regressions test which are shipped in the original tarball (and in Debian
*source* package). This virus is *not* shipped in Debian binary package.


OK, you have already closed the ticket. I was expecting to find a general policy of "maintainers should not allow malware from upstream" but apparently this not desired or the discussion belongs to somewhere else.

It doesn't really matter what is the intention; you are still allowing spreading malware and potentially infecting users as they are publicly accessible. Just fetching the source package will give you this nice surprise.

In most cases, samples can be replaced with EICAR or equivalent to trigger the expected result, or tested with unit tests and proper mocking.

Jarkko Palviainen
Software Engineer, Linux Team
F-Secure Corporation

Reply to: