You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The (made up for illustrative purposes) malicious .pc file therein has a number of tells, none of which are common in a quick sample of 1,180 files I checked by hand:
no single-letter variable definitions
no alphanumeric/base64 string longer than 28 letters
no grep, no sed, no echo, no base64
no single-quoted strings
no variable names w/o curly braces (no $foo)
one single instance of $( )
three instances that matched "[^"]*[^- "/{}:.A-Za-z0-9]+[^"]*", easily assessed by eye.
Can we come up with some more, do they have similarly low false-positive rates, do they get any actual interesting hits on all .pc files distributed by the distros being analyzed? (We'd likely have to look at / extract .pc files from binary packages.). Is it worth formalizing this into something repeatable? Or is it going too deep down a single rabbithole?
The text was updated successfully, but these errors were encountered:
See https://marc.info/?l=oss-security&m=171335763115933&w=4
The (made up for illustrative purposes) malicious
.pcfile therein has a number of tells, none of which are common in a quick sample of 1,180 files I checked by hand:grep, nosed, noecho, nobase64$foo)$( )"[^"]*[^- "/{}:.A-Za-z0-9]+[^"]*", easily assessed by eye.Can we come up with some more, do they have similarly low false-positive rates, do they get any actual interesting hits on all
.pcfiles distributed by the distros being analyzed? (We'd likely have to look at / extract.pcfiles from binary packages.). Is it worth formalizing this into something repeatable? Or is it going too deep down a single rabbithole?The text was updated successfully, but these errors were encountered: