Following up on this, I went through and pulled the interim releases from launchpad and submitted the keepass.exe binaries to the anti-virus services, and they start getting triggered by the 2.31+dfsg-1 version:
2.31+dfsg-1 (https://launchpad.net/ubuntu/+source/keepass2/2.31+dfsg-1/+build/8829631) result: https://virusscan.jotti.org/en-US/filescanjob/2f4uejsje3 https://www.virustotal.com/sv/file/ed1d3f21be70feaf850f175c29fa28d07a453800ba0abcb3c44cf402db8ea5eb/analysis/ 2.30+dfsg-2 (https://launchpad.net/ubuntu/+source/keepass2/2.30+dfsg-2/+build/8797566) results: https://virusscan.jotti.org/en-US/filescanjob/dp4fnv25a3 https://www.virustotal.com/sv/file/be94faa8e306c825a604b358e2985f2698c7298408a18ead36dd6123437ad129/analysis/1468453778/ 2.30_dfsg-1 (https://launchpad.net/ubuntu/+source/keepass2/2.30+dfsg-1/+build/8178398) results: https://virusscan.jotti.org/en-US/filescanjob/1vfl96j3ib https://www.virustotal.com/sv/file/93bc870427b59ee741731db11651d475deb7e9b1c8ef892a8b1e1efec644167a/analysis/1468453545/ Julian Taylor also found similar results rebuilding those versions against current xenial and submitting the results for scanning. The source orig tarball for both these versions scans clean: 2.31 https://www.virustotal.com/sv/file/954986db5acb63c634bc9fd8496bb822461eb62147b10e054bb8e7662533db5d/analysis/1468563164/ 2.30 https://www.virustotal.com/sv/file/3c99953402b6987be8c04fb0955b3045371724df3cae19fe750e89a830e7b19a/analysis/1468563034/ I also note that Julian also retried building the 2.34+dfsg-1 version against precise (12.04), trusty (14.04), and xenial (16.04), using the mono toolchain from each release, and got the same triggered results for the xenial and trusty builds, but the precise build came out clean. I also submitted some other pe32 binaries from the Banshee package in xenial (version 2.9.0+really2.6.2-7ubuntu2) and got no positive hits from those either. I think this is still a false positive. Both Debian and Ubuntu build the keepass2 package from the upstream source using mono (whereas upstream builds with a windows compiler) -- I initially incorrectly thought a repackaged binary from upstream was what the keepass2 package contained. If there is malware being injected, it would need to be in the toolchain or embedded libraries or some coordinated effort between them and the keepass, but then you would expect that either earlier versions of keepass rebuilt with the xenial toolchain would show evidence of it, or that it wouldn't show up when built with trusty's toolchain, and that it would possibly show up in other pe32 binaries (though the small sample that I tested is in no way comprehensive; more research on this would be appreciated). I have not walked through all of keepass2's (mono) build dependencies, looking for a triggering malware, nor have I tried to decompile the keepass.exe binaries looking for embedded malware. If someone would like to take that on, that would be great. I don't see a need to keep this bug report private, so I'm opening it up. Thanks! ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1602645 Title: Malware found in /usr/lib/keepass2/KeePass.exe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/keepass2/+bug/1602645/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
