Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Keywords: Sourceforge, sourceforge.net, malware, Copyright, compromise
DBSA ID: 2015-0005
Original Advisory: DBSA:2015-0002 - Please review for context
Regarding: Sourceforge Download Tampering (Second Advisory)
Date: 2015 06 15
Last Modified: 20150615134117 by Gung-ho Gun
Who should take note: Everyone
Classification carries from original advisory
Rationale: Users must act to maintain control over what software is installed to their systems. Software publishers must act to maintain control over their software.
Rationale: The compromised downloads may include malware which may compromise user and system security.
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: Since Sourceforge is a download service, any download provided could have been modified.
Sourceforge is a software repository mirroring service, owned and operated by DHI Group, Inc. (also known as "Dice Holdings"), which is used by software vendors to distribute their products on geographically distributed servers. It has been observed that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts:
To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles. To clarify, these software titles and others listed in the sf-editor profiles are reputable one their own; and many, if not most of them, were taken without explicit consent from the software vendor.
Examples include (but not limited to):
The original advisory remains active and its Mitigation/Solution relevant.
Users are advised to discontinue use of the Sourceforge website for downloads unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads and to encourage software vendors that haven't changed their hosting arrangements away from Sourceforge to do so.