Comment by shlip

1 day ago

Here is how I did it :

Get a list of installed packages originating from AUR using 'yay' :

  yay -Qam > packages_aur.last

Get list from https://md.archlinux.org/s/SxbqukK6IA# :

  curl https://md.archlinux.org/s/SxbqukK6IA/download > compromised.txt

then :

  grep -wFf compromised.txt packages_aur.last

should spit out the packages that are in both files, hence were compromised at some point, I guess.

3 comments

shlip

Reply

galleywest200 1 day ago

Thank you for this! I only had two on my system, thank goodness. I have uninstalled both.

libgdata 0.18.1-5 qt5-3d 5.15.18-1

bilkow 1 day ago
Have you checked the install date? I'm not sure which are the compromised version numbers, but if they were installed before June 10 you're probably safe. (I think libgdata 0.18.1-5 used to be on the main repos in February, and has recently been downgraded to AUR, so you may be fine).
Only packages from AUR have been compromised, meaning a normal update `pacman -Syu` won't install them, they'll only be installed by `makepkg` or AUR helpers (such as `paru`, which asks you to review the PKGBUILD diff).
Also, if you had installed a compromised version, uninstalling the packages is not enough, you'd probably need to reinstall your system and rotate all credentials. More info here and on the linked blog: https://discourse.ifin.network/t/400-aur-packages-compromise...
- galleywest200 6 hours ago
  
  These were installed before June 10th I am almost certain. I will read that link just to be safe!
  Looking at my pacman cache both of these versions existed on my system before June of this year so I think I am okay.