124
submitted 9 months ago by pnutzh4x0r@lemmy.ndlug.org to c/linux@lemmy.ml

Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.

top 30 comments
sorted by: hot top controversial new old
[-] OsrsNeedsF2P@lemmy.ml 54 points 9 months ago* (last edited 9 months ago)

Tl;dr Someone makes a package called "chromee", you try to install "chrome" via apt, it's not found, but finds "chromee" in Snap and suggests it.

They could simply make it so the auto suggestion only suggests FOSS apps from verified publishers, since they already have that data

[-] avidamoeba@lemmy.ca 12 points 9 months ago

Which is probably how they're gonna fix it.

[-] possiblylinux127@lemmy.zip 35 points 9 months ago

What a surprise. Its almost like forcing snap is a bad idea

[-] Unyieldingly@lemmy.world 15 points 9 months ago

Steam snap was so broken Valve told people to use the .deb or flathub.

[-] savvywolf@pawb.social 30 points 9 months ago

Wait... Snap packages aren't manually verified? Why Canonical? Doesn't every other Linux package manager have their main packages repository manually vetted?

[-] OsrsNeedsF2P@lemmy.ml 29 points 9 months ago

Neither Canonical"s Snapstore, nor Flathub manually verify apps. They're both similar to the Play Store or App Store where it's managed by the app developer.

For Flathub there are verified apps though, which are confirmed to be by the original developer.

[-] Montagge@kbin.earth 6 points 9 months ago

Snap store does similar I believe

[-] Neon@lemmy.world 0 points 9 months ago

yeah, but i can still make a Github Repo for Firefoxx and be Verified on Flathub, even though i am masquerading as Firefox. That's not the Problem.

[-] jbk@discuss.tchncs.de 5 points 9 months ago

Since you need to pass a manual review during initial submission of the app, no, you can't

[-] ryannathans@aussie.zone 2 points 9 months ago

A fake malware password manager made it on to Apple's app store, passed manual review. Manual reviews are not bulletproof

[-] jbk@discuss.tchncs.de 1 points 9 months ago

That's still not the same as impersonating a known app or developer though

[-] ryannathans@aussie.zone 1 points 9 months ago* (last edited 9 months ago)

That's exactly what they did, imitated lastpass or something

And why does Apple's process say something about Flathubs process?

[-] ryannathans@aussie.zone 1 points 9 months ago* (last edited 9 months ago)

Example of strict manual reviews including source code not catching malware masquerading as existing reputable software, it's the exact same scenario minus Apple being a commercial entity. Goes to show that even when commercial interests are at stake to keep these malicious apps out, they can still get in. It's just demonstrating manual reviews aren't a 100% bulletproof solution, the commenter was saying it's not possible for malware to get past manual review

This isn't the point of the review. Verified apps only say this is the application as offered by the original vendor.
If the original vendor were to bundle malware, then that's a bad vendor, but still verified official software. Not that I actually think this will happen. Most user install malware such as Discord willingly. /j

[-] jbk@discuss.tchncs.de 7 points 9 months ago

Flathub has manual reviews during initial submission though. Also they're working on automatically needing a manual review when e.g. new permissions are granted to apps

[-] bitwolf@lemmy.one 17 points 9 months ago

It's funny bc I'm seeing this as karma for a dark pattern.

[-] octopus_ink@lemmy.ml 13 points 9 months ago* (last edited 9 months ago)

I've still never quite been able to understand the problem being solved by going back to what we were happy to leave behind with Windows: The google, download, install, hope it's not malicious, software installation model.

I should add that it's VERY common when one of these "OMG I tried Linux and I can't even install anything" posts come up, it's because they are still doing that. Google, download, install, hope it's not malicious. And they grab something that's a bad choice for their distro, or not the best way to install something etc.

Not that many years ago, you could quickly explain that in the Linux ecosystem that's really not how it works, and is not a good choice until they are experienced enough to make an informed decision. How do you tell the noobies that now without having to then get into snaps/flatpak/appimage and all their differences and caveats?

Saw just such a post in the past few days, and didn't even try to explain their problem looked to be that they'd randomly installed shit they found googling, which is normal in Windows, but a bad idea in Linux. I'm not, nor will I ever be, an expert in all those ways of packaging, especially since I've eschewed their use myself.

I see these as solutions without a problem, and that have made it harder, not easier, to help out the noobies when they come in trying to do things "Windows-style."

I'm sure there are people who love this evolutionary step, and that's fine. I'm not a hater, so please don't come at me as if I am. If these things work for you, I am happy they do so. I just feel we've put a lot of effort into trying to throw out the baby with the bathwater on this topic in recent years.

Instead of looking to refine how package managers work and packages are maintained, we now have 15 competing standards. (/xkcd)

[-] Virulent@reddthat.com 5 points 9 months ago

Only appimages follow that model and the problem being solved is real and has nothing to do with any of that. The problem being solved is the huge amount of wasted work that distributions do by having to package and support every single project in existence for their various targets. Giving developers a single target like the freedesktop.org runtimes (in the case of flatpaks) and having them package and support applications is a much simpler and more efficient model.

[-] octopus_ink@lemmy.ml 3 points 9 months ago

I should maybe have explained one detail better.

and has nothing to do with any of that.

It absolutely does. Because the answer for the noobs used to be:

"Just install from your distro's repo. If you need help, ask others who run your distro about how to do it properly. Do NOT go and just google for something and install it, nor compile from source until you are experienced enough to make an informed choice to do so." That advice would sidestep so many headaches for noobs and for folks trying to help noobs.

But now that last part is:

"Stay within your distros repos unless you want to use snaps. Of course, if you are going to use snaps, here are these things you should know. You could also probably find a flatpak for many things, so you can try that, but now here's some things you should know about flatpak. Appimage is also an option, and you can probably find an appimage for some software, but appimage also has some things you should know about how it works and how to integrate it with your system. You should also understand the pros and cons of each of those options with regard to security, and also how that detail compares against just using software from your distro's repos."

My eyes glazed over just typing that. That's not going to help a confused noobie.

[-] Virulent@reddthat.com 7 points 9 months ago

A noob shouldn't have to think about any of this. They would install from gnome software or discover and not know the difference between flatpaks or rpms or debs.

[-] octopus_ink@lemmy.ml 2 points 9 months ago* (last edited 9 months ago)

I suppose that sounds great, but every time I see a thread where folks complain about these various packaging formats, I'm just really happy I don't use any of them on my system. All I see in these discussions are user-level problems that I don't ever have due to avoiding them entirely. One day when I can't run a distro that doesn't use them I suppose I'll have no choice, but until then... We clearly seem NOT to have settled on a single target, so I don't know why I'd voluntarily wade into all that as a user while it's still not settled.

[-] D_Air1@lemmy.ml 12 points 9 months ago

Seems like the problem is more that they allowed random unverified apps to be uploaded in the first place rather than the suggestion prompt. Even then this seems like a good reason to not recommend unverified sources by default.

[-] ProgrammingSocks@pawb.social 9 points 9 months ago

Yeah, fuck snap. I've been actively recommending against using Ubuntu because of it to new users.

[-] princessnorah@lemmy.blahaj.zone 6 points 9 months ago

I’ve been really enjoying LMDE (Linux Mint Debian Edition) as a main distro. It asks you during the install what package systems you want to include and you can just not select snap 👌

[-] penquin@lemm.ee 6 points 9 months ago

Does canonical not verify snaps when they're submitted to them like flathub does now?

[-] merthyr1831@lemmy.world 10 points 9 months ago

Nope. It's automated and doesnt detect malicious name-squatting (what caused the last security drama within snap)

Doesn't help that unlike flatpak, snaps are pretty much exclusively used on Ubuntu so many Devs won't bother porting their apps to it so snaps are rife with dodgy repacked apps and people squatting official names of popular flatpak apps

[-] penquin@lemm.ee 2 points 9 months ago

That's messed up. I'm going to stay away from them for sure.

[-] merthyr1831@lemmy.world 3 points 9 months ago

FWIW Flatpak also does it automated, but as others said they manually verify new entries, and since it's such a widely adopted standard there's less opportunity to name-squat a popular app that isn't already available.

I don't know what flatpak does to stop, say, someone releasing a legit/dummy app to pass manual verification before replacing it with a malicious app and a new name, so can't comment on how effective their security is beyond the initial release

this post was submitted on 14 Feb 2024
124 points (97.0% liked)

Linux

48376 readers
810 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS