DBSA:2015-0005
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Sourceforge Download Tampering (Second Advisory)
Keywords: Sourceforge, sourceforge.net, malware, Copyright, compromise
DBSA ID: 2015-0005
Original Advisory: DBSA:2015-0002 - Please review for context
Regarding: Sourceforge Download Tampering (Second Advisory)
Writeup: Kradorex Xeron (talk) 14:19, 15 June 2015 (EDT)
Date: 2015 06 15
Last Modified: 20150615132354 by Kradorex Xeron
Who should take note: Everyone
Classification
Classification carries from original advisory
Priority: HIGH
Rationale: Users must act to maintain control over what software is installed to their computers, software publishers must act to maintain control over their software.
Severity: HIGH
Rationale: The compromised downloads may include malware that may compromise user security.
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: Since Sourceforge is a download service, any download provided could have been modified.
Description
Sourceforge is a software repository mirroring service owned and operated by DHI Group, Inc. (also known as "Dice Holdings") that is used by software vendors to distribute their software on geographically distributed servers. It has been observed that that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts:
- http://sourceforge.net/u/sf-editor/profile/
- http://sourceforge.net/u/sf-editor1/profile/
- http://sourceforge.net/u/sf-editor2/profile/
- http://sourceforge.net/u/sf-editor3/profile/
To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles. To clarify, these software titles and others listed in the sf-editor profiles are reputable on their own, and many, if not most of them were taken without explicit consent of the software vendor.
Examples (but not limited to):
- Firefox
- Apache OpenOffice
- LibreOffice
- GIMP Image Editor for Windows (Gimp-Win)
- Audacious
- Audacity
- Apache HTTPD Webserver software
- MySQL Database Server software
- PostgreSQL Database Server software
- Drupal
- Fedora Linux
Mitigation/Solution
The original advisory remains active and its Mitigation/Solution relevant.
Users are advised to discontinue use of the Sourceforge website for downloads unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads and to encourage software vendors that haven't changed their hosting arrangements away from Sourceforge to do so.
References
(internal research)