[R-pkg-devel] Possible malware(?) in a vignette

Robert M. Flight r|||ght79 @end|ng |rom gm@||@com
Thu Jan 25 15:47:18 CET 2024 

I decided to grab a copy of that PDF from the RStudio CRAN mirror, and
downloaded on Linux (where hopefully it won't be an issue) from the list of
vignettes.

Virus Total gives it the same hash as the above linked PDF, so it's
definitely been propagated from CRAN, and *may* be malicious.

That is *disconcerting* to say the least.

-Robert

On Thu, Jan 25, 2024 at 6:03 AM Iñaki Ucar <iucar using fedoraproject.org> wrote:

> On Thu, 25 Jan 2024 at 10:13, Colin Gillespie <csgillespie using gmail.com>
> wrote:
> >
> > Hi All,
> >
> > I've had two emails from users in the last 24 hours about malware
> > around one of my vignettes. A snippet from the last user is:
> >
> > ---
> > I was trying to install a R package that depends on PowerRLaw two
> > weeks ago.  However my virus protection software F secure did not
> > allow me to install it from CRAN, while installation from GitHub
> > worked normally. Virus protection software claimed that
> > d_jss_paper.pdf is compromised. I asked about this from our IT support
> > and they asked it from the company F secure. Now F secure has analysed
> > the file and according them it is malware.
> >
> > “Upon analyzing, our analysis indicates that the file you submitted is
> > malicious. Hence the verdict will remain
>
> See
> https://www.virustotal.com/gui/file/9486d99c1c1f2d1b06f0b6c5d27c54d4f6e39d69a91d7fad845f323b0ab88de9/behavior
>
> According to the sandboxed analysis, there's something there trying to
> tamper with the Acrobat installation. It tries several Windows paths.
> That's not good.
>
> The good news is that, if I recreate the vignette from your repo, the
> file is different, different hash, and it's clean.
>
> The bad news is that... this means that CRAN may be compromised. I
> urge CRAN maintainers to check all the PDF vignettes and scan the
> Windows machines for viruses.
>
> Best,
> Iñaki
>
>
> >
> > ---
> >
> > Other information is:
> >
> >  * Package in question:
> > https://cran.r-project.org/web/packages/poweRlaw/index.html
> >  * Package hasn't been updated for three years
> >  * Vignette in question:
> >
> https://cran.r-project.org/web/packages/poweRlaw/vignettes/d_jss_paper.pdf
> >
> > CRAN asked me to fix
> > https://cran.r-project.org/web/checks/check_results_poweRlaw.html a
> > couple of days ago - which I'm in the process of doing.
> >
> > Any ideas?
> >
> > Thanks
> > Colin
> >
> > ______________________________________________
> > R-package-devel using r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-package-devel
>
>
>
> --
> Iñaki Úcar
>
> ______________________________________________
> R-package-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-package-devel
>

	[[alternative HTML version deleted]]

More information about the R-package-devel mailing list