Difference between revisions of "DBSA:2015-0002"

From Digibase Knowledge Base
Jump to: navigation, search
 
Line 18: Line 18:
 
==Classification==
 
==Classification==
  
'''Priority:''' LOW/MODERATE/HIGH
+
'''Priority:''' HIGH
  
'''Rationale:''' HIGH
+
'''Rationale:''' Users must act to maintain control over what software is installed to their computers, software publishers must act to maintain control over their software.
  
'''Severity:''' LOW/MODERATE/HIGH
+
'''Severity:''' HIGH
  
'''Rationale:''' HIGH
+
'''Rationale:''' The compromised downloads may include malware that may compromise user security.
  
'''Spread of Issue:''' SINGLE-PLATFORM/MULTI-PLATFORM LOW/MODERATE/HIGH
+
'''Spread of Issue:''' MULTI-PLATFORM HIGH
  
'''Rationale:''' MULTI-PLATFORM HIGH
+
'''Rationale:''' Since Sourceforge is a download service, any download provided could have been modified.
  
 
==Description==
 
==Description==

Latest revision as of 20:49, 3 June 2015

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Sourceforge Download Tampering

Keywords: Sourceforge, sourceforge.net, malware, Copyright, compromise

DBSA ID: 2015-0002

Regarding: Sourceforge Download Tampering

Writeup: Kradorex Xeron (talk) 21:04, 27 May 2015 (EDT)

Date: 2015 05 28

Last Modified: 20150603204921 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: HIGH

Rationale: Users must act to maintain control over what software is installed to their computers, software publishers must act to maintain control over their software.

Severity: HIGH

Rationale: The compromised downloads may include malware that may compromise user security.

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: Since Sourceforge is a download service, any download provided could have been modified.

Description

Sourceforge is a software repository mirroring service owned and operated by DHI Group, Inc. (also known as "Dice Holdings") that is used by software vendors to distribute their software on geographically distributed servers. On projects where the original authors or vendors decline to maintain updates to migrate mirroring to in-house or using another service, Sourceforge has been identified to have without authorization of vendors publish updates and modify downloads. Sourceforge has rationalized that they have purview when software is abandoned to "editorially curate" software stored on their systems.

Sourceforge claims that they have been making efforts to remove malicious or misleading advertisements, but have published that they include sponsored offers in their downloads. These sponsored offers included in downloaders can contain malware of the unwanted software classification that a user moving to quickly install software using defaults may inadvertently install.

Archived statement from Sourceforge "Community Team" on 27 May 2015 (see References for original):

There has recently been some report that the GIMP-Win project on SourceForge has been hijacked; this project was actually abandoned over 18 months ago, and SourceForge has stepped-in to keep this project current. For more details, read on…

The GIMP-Win project was registered on SourceForge in October of 2004. In 2013, the GIMP-Win author discontinued use of SourceForge for download delivery.

Based on our prior outreach to the GIMP-Win author, we understand that they had concerns about the presence of misleading third-party ads on SourceForge. They were not alone in those concerns — we were also concerned — leading us to establish a program to enable users and developers to help us remove misleading and confusing ads.

In cases where a project is no longer actively being maintained, SourceForge has in some cases established a mirror of releases that are hosted elsewhere. This was done for GIMP-Win.

When we establish a mirror, we change the status on the project to clearly delineate it as a mirror, and change administrative control of the project to clearly delineate that it is editorially curated by SourceForge.

Mirrored projects help enable end-users to stay current with the latest releases, particularly where SourceForge continues to house historical releases for community benefit.

Mirrored projects are sometimes used to deliver easy-to-decline third-party offers, and the original downloads are always available.

Since our change to mirror GIMP-Win, we have received no requests by the original author to resume use of this project. We welcome further discussion about how SourceForge can best serve the GIMP-Win author.


Archived statement from GIMP-Win developer Jernej Simončič on 26 May 2015 (see References for original):

On Tuesday, May 26, 2015, 8:40:08, Ofnuts wrote:

Should this site be closed down entirely (assuming it is still under the control of someone related to Gimp development)? There are still plenty of links pointing to it, and it would be better for them to be invalid instead of pointing to this crap?

SourceForge has taken the gimp-win project control away from me (apparently due to inactivity, although they haven't done anything like that with a few other inactive projects I'm a member of), and so far they haven't responded to the message I sent them to cease the distribution of the installer.

It isn't the purview of this advisory to comment on political rammifications, however it should be approached with caution when a distribution service attempts to deprive a software producer of access to modify the terms of the distribution or cease distribution.

Mitigation/Solution

Users are always advised to be cautious about software being downloaded and installed to systems, even from trusted sources. Users are further advised to treat Sourceforge with suspicion and investigate possible alternate sources to download software and to understand that software downloaded from Sourceforge or any of its mirrors may be compromised with malware.

Software authors and vendors are advised to be aware of the possible damage to their rights and degradation of user experience and security in using SourceForge as a mirroring service and act accordingly.

References