Re: [openjdk-unofficial-builds] Virus detected in OpenJDK 6 installer (#20)

30 views
Skip to first unread message

Alex Kasko

unread,
Oct 13, 2014, 2:27:01 PM10/13/14
to alexkasko/openjdk-unofficial-builds, openjdk-unofficial-builds
Hi,

On 10/12/2014 02:47 PM, Petrouchka wrote:
> Hello,
>
> AVG detects a virus in install.jar (in https://bitbucket.org/alexkasko/openjdk-unofficial-builds/downloads/openjdk-1.6.0-unofficial-b31-windows-i586-installer.zip and in https://bitbucket.org/alexkasko/openjdk-unofficial-builds/downloads/openjdk-1.6.0-unofficial-b31-windows-amd64-installer.zip) :
> https://www.virustotal.com/fr/file/208234ef7133c76184f0232099a227415c79d233c99b5962c5bfaaca469a9931/analysis/1413112865/
> https://www.virustotal.com/fr/file/958b0f993d956ba222d9400ec074aa06a071cb8b221705bfb6844f9005ea467b/analysis/1413120803/
>
> How OpenJDK is compiled ? Are you using a fresh install of Windows+compiler with original DVD, without installing nothing else downloaded on internet ? (by exemple, using a snapshot in VirtualBox or something similar) ?

Prepared virtual machine images (similar to snapshots) are used for each
build, more info [1][2]

>Viruses can come from mails, downloading something on internet or just connecting an USB key and they can be very very furtive.

All binaries are checked with antivirus before publishing. I do not find
1/54 detection ratio convincing. install.jar is an izpack packed
installer, if you'll find infected files in installed directory please
let me know.

>
> ---
> Reply to this email directly or view it on GitHub:
> https://github.com/alexkasko/openjdk-unofficial-builds/issues/20
>

[1]
https://github.com/alexkasko/openjdk-unofficial-builds#build-process-manual-builds
[2]
https://github.com/alexkasko/openjdk-unofficial-builds#build-process-auto-builds

--
-Alex

Alex Kasko

unread,
Nov 13, 2014, 2:28:55 PM11/13/14
to alexkasko/openjdk-unofficial-builds, openjdk-unofficial-builds
Hi,

On 11/13/2014 03:40 PM, Petrouchka wrote:
> I found the file in which AVG is founding a virus. It's /install/packs/pack-OpenJDK Development Kit installation files
> There's something strange, I cant unpack it :
> $ unpack200 pack-OpenJDK\ Development\ Kit\ installation\ files.pack a.jar
> Corrupted pack file: magic/ver = ACED0005/4.119 should be CAFED00D/150.7 OR CAFED00D/160.1

This looks like an izPack installation pack. I doubt that izPack uses
pack200 for compression (probably deflate or LZMA) and also compression
should be disabled in these installers, as they are zipped manually
after the build. So this is izPack internal format for installation
packs created by izPack compiler.

>
> Are you sure this file is safe ?

No, of course, I am not - "NO WARRANTY EVEN FOR FITNESS" and all this
GPL stuff :)

Seriously speaking, if all the files inside izPack's pack are safe then
it is highly unlikely that isPack will add something malicious to them.
OpenJDK binaries that are built during the build process are the same
for -installer and -image bundles, so they are most probably safe.But
there are also some auxiliary binaries included with installer taken
from some obscure old windows SDK's -
https://github.com/alexkasko/openjdk-unofficial-builds/tree/master/installer/windows-i586/uninstall/tools
Maybe AVG does not like some of them.

>
> ---
> Reply to this email directly or view it on GitHub:
> https://github.com/alexkasko/openjdk-unofficial-builds/issues/20#issuecomment-62910085
>


--
-Alex
Reply all
Reply to author
Forward
0 new messages