[Note that I've never looked at the tini package before; I'm just a
Debian developer who happened to see this bug report due to its slightly
malformed "Package:" line.]
On Tue, Oct 21, 2025 at 12:26:44PM -0500, Jacob Rodriguez wrote:
When installing tini from
https://packages.debian.org/trixie/amd64/tini/download . The version of the
package "tini_0.19.0-3+b3_amd64.deb" with signature
"9803a1d1f1a5f7206825001744c2ab00dec8b865f470cbfdb40b3d339d10b71c" is being
flagged as malware. Upon investigating in Virustotal, it appears this is a
known detection where the "tini-static" file with checksum
"14a3bdbf9e507ee266b51ec94f12c3411c630d177c3532f160539516612db2b6"
specifically is showing signs of obfuscating itself and performing system
calls.
The versions of the package prior to this have no issues and are not
identified as malware.
VirusTotal may claim this, but these things are far from infallible: see
https://hachyderm.io/@simontatham/115343156220572734 and thread for
comparison.
As far as I can see, a fair number of the claims VirusTotal makes here
are simply untrue. There's no sign of this binary doing anything with
either systemd or rsyslog directly, for instance (and in any case lots
of Debian packages do such things perfectly legitimately). As for using
RC4 and XOR, neither is a particularly cut-and-dried sign of malware by
itself, but in any case there's no sign of either in the source code.
And _of course_ it performs system calls! It's an init implementation,
so it kind of has to.
In this case, the source code is indeed tiny; I went through all its
files by hand and found nothing suspicious. (src/tiniLicense.h looks
obfuscated at first glance, but it's easy to verify that it's simply the
contents of the LICENSE file encoded as a character array so that it can
be embedded in the binary.)
All Debian binary packages are built from source on trusted builders,
but I can't just expect you to take my word for it that nothing
malicious happened on the builder. Fortunately, we have reproducible
builds. You can pick out the buildinfo file from near the end of
https://buildd.debian.org/status/fetch.php?pkg=tini&arch=amd64&ver=0.19.0-3%2Bb3&stamp=1753905020&raw=0,
and run something like "debrebuild --buildresult=tini-artifacts
--builder=mmdebstrap tini_0.19.0-3+b3_amd64.buildinfo" (from the
devscripts package) on it. I did so on my laptop and got identical
results.
So, either the alleged malware is in libgcc or glibc (since those are
the only other places where code in tini-static could possibly come
from), or this is a false positive. I think the balance of probability
is in favour of this being a false positive.
We of course have no useful way to figure out why some opaque antivirus
vendor (often mainly focused on other operating systems) might have
decided to flag a binary in Debian as malware. Given the
hard-to-explain notes about systemd and rsyslog, I'd speculate that
somebody might have scanned a malicious container that happens to be
built using tini and then reported all the binaries in it. But we can
really only guess.
I recommend that the maintainer should close this bug.
Thanks,
--
Colin Watson (he/him) [[email protected]]
