Trojan in Chromium sources ?

[yakup aksu]

Hello,

Kaspersky detected the below as Malware and it looks serious.

Just FYI :

--

Kind regards,

Yakup AKSU

[Torne (Richard Coles)]

This is test data and while I don't know anything about this file specifically, it's quite possible this contains a PDF exploit used for some regression test (if so it would not have a dangerous payload). But, since this is a heuristic result it may also just be a false positive.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Anand]

Yup, it's a regression test for a security bug:

https://cs.chromium.org/chromium/src/chrome/browser/ui/browser_browsertest.cc?q=alert_dialog.pdf&sq=package:chromium&l=640&dr=C

[yakup aksu]

Thanks Guys !

[Matt Giuca]

This isn't clear in the source code at all.

The filename should probably be something like "alert_dialog_malware.pdf" so it communicates that it deliberately contains malware, and the test should definitely have some kind of comment that it's regression-testing a security vulnerability. (Perhaps it was deliberately obscure at the time so that it wouldn't draw attention to the exploit, but now that the bug has public visibility, it would be good to update it for clarity.)

[Antoine Labour]

On Sun, Jun 26, 2016 at 6:38 PM, Matt Giuca <mgi...@chromium.org> wrote:

This isn't clear in the source code at all.

The filename should probably be something like "alert_dialog_malware.pdf" so it communicates that it deliberately contains malware, and the test should definitely have some kind of comment that it's regression-testing a security vulnerability. (Perhaps it was deliberately obscure at the time so that it wouldn't draw attention to the exploit, but now that the bug has public visibility, it would be good to update it for clarity.)

Does it /actually/ contain malware? If so, can we change that? Regression occur and it seems pretty bad form that running a regression test might install malware on the developer's machine, mmh?

Antoine

 

---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[Torne (Richard Coles)]

The bug description makes this sound like a dialog source spoofing issue - the pdf can display a dialog in a context where it shouldn't be able to and potentially trick a user into entering authentication details in the wrong place. So this isn't something that could actually exploit a machine and cause something bad to happen if there was a bug, it's not about code execution or similar

Even for actual code execution exploits tests/proofs-of-concept typically do something like "Launch calc.exe" and not install anything.

[Charlie Reis]

[+wjmaclean]

There's no malware in the PDF, to my knowledge.  James generated it from a script to display an alert dialog using script within the PDF (see https://codereview.chromium.org/1156663004/ for the discussion, and https://codereview.chromium.org/1150843002/ for where it landed).  In that sense, I think the file name is accurate.

James may be able to comment more on how the file was generated, to better understand why it might have been noticed by Kaspersky.

Charlie