DBSA:2015-0002

From Digibase Knowledge Base
Revision as of 21:04, 27 May 2015 by Kradorex Xeron (talk | contribs) (Created page with "{{DBSAHEAD | TITLE=Sourceforge Download Tampering | KEYWORDS=Sourceforge, sourceforge.net, malware, Copyright, compromise }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Sou...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Sourceforge Download Tampering

Keywords: Sourceforge, sourceforge.net, malware, Copyright, compromise

DBSA ID: 2015-0002

Regarding: Sourceforge Download Tampering

Writeup: Kradorex Xeron (talk) 21:04, 27 May 2015 (EDT)

Date: 2015 05 28

Last Modified: 20150527210443 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: LOW/MODERATE/HIGH

Rationale: HIGH

Severity: LOW/MODERATE/HIGH

Rationale: HIGH

Spread of Issue: SINGLE-PLATFORM/MULTI-PLATFORM LOW/MODERATE/HIGH

Rationale: MULTI-PLATFORM HIGH

Description

Sourceforge is a software repository mirroring service owned and operated by DHI Group, Inc. (also known as "Dice Holdings") that is used by software vendors to distribute their software on geographically distributed servers. On projects where the original authors or vendors decline to maintain updates to migrate mirroring to in-house or using another service, Sourceforge has been identified to have without authorization of vendors publish updates and modify downloads. Sourceforge has rationalized that they have purview when software is abandoned to "editorially curate" software stored on their systems.

Sourceforge claims that they have been making efforts to remove malicious or misleading advertisements, but have published that they include sponsored offers in their downloads. These sponsored offers included in downloaders can contain malware of the unwanted software classification that a user moving to quickly install software using defaults may inadvertently install.

Archived statement from Sourceforge "Community Team" on 27 May 2015 (see References for original):

There has recently been some report that the GIMP-Win project on SourceForge has been hijacked; this project was actually abandoned over 18 months ago, and SourceForge has stepped-in to keep this project current. For more details, read on…

The GIMP-Win project was registered on SourceForge in October of 2004. In 2013, the GIMP-Win author discontinued use of SourceForge for download delivery.

Based on our prior outreach to the GIMP-Win author, we understand that they had concerns about the presence of misleading third-party ads on SourceForge. They were not alone in those concerns — we were also concerned — leading us to establish a program to enable users and developers to help us remove misleading and confusing ads.

In cases where a project is no longer actively being maintained, SourceForge has in some cases established a mirror of releases that are hosted elsewhere. This was done for GIMP-Win.

When we establish a mirror, we change the status on the project to clearly delineate it as a mirror, and change administrative control of the project to clearly delineate that it is editorially curated by SourceForge.

Mirrored projects help enable end-users to stay current with the latest releases, particularly where SourceForge continues to house historical releases for community benefit.

Mirrored projects are sometimes used to deliver easy-to-decline third-party offers, and the original downloads are always available.

Since our change to mirror GIMP-Win, we have received no requests by the original author to resume use of this project. We welcome further discussion about how SourceForge can best serve the GIMP-Win author.


Mitigation/Solution

Users are always advised to be cautious about software being downloaded and installed to systems, even from trusted sources. Users are further advised to treat Sourceforge with suspicion and investigate possible alternate sources to download software and to understand that software downloaded from Sourceforge or any of its mirrors may be compromised with malware.

Software authors and vendors are advised to be aware of the possible damage to their rights and degradation of user experience and security in using SourceForge as a mirroring service and act accordingly.

References

Retrieved from "http://kb.digibase.ca/index.php?title=DBSA:2015-0002&oldid=752"