# [SOLVED] possible compromised distfile

## xanderal

Hi,

as far as I understand the source code lives in DISTDIR (as set in make.conf), right?

So it shouldn't be a problem to delete a file in there of something I already installed?

Problem is that clamav flags one of them as problematic but a lot of packages depend on the (possibly compromised) package...Last edited by xanderal on Fri Jul 19, 2019 8:01 am; edited 1 time in total

----------

## eccerr0r

DISTDIR is a download directory where portage stores files and extracts them on build.  Files there are checked by the checksums stored in the portage tree.  The portage tree is now signed.  So you do have implicit protection from corruption in DISTDIR.  You can safely remove files from there - portage will automatically redownload files stored there as needed.  A took called "eclean" in app-portage/gentoolkit cam be used to clean up old files.

Clamav is a special case.  A default set of signature files can be downloaded/used from the distribution, but freshclam can download new signature files outside of portage, and now portage does not know if the files were corrupted or not post installation - it assumes so because they no longer match what they were initially installed with.

However freshclam should not be downloading to DISTDIR...what is the exact error and what program is reporting the corruption?

----------

## xanderal

 *eccerr0r wrote:*   

> DISTDIR is a download directory where portage stores files and extracts them on build.  Files there are checked by the checksums stored in the portage tree.  The portage tree is now signed.  So you do have implicit protection from corruption in DISTDIR.  You can safely remove files from there - portage will automatically redownload files stored there as needed.  A took called "eclean" in app-portage/gentoolkit cam be used to clean up old files.

 

That was what I was hoping for - thanks for the explanation.

 *eccerr0r wrote:*   

> Clamav is a special case.  A default set of signature files can be downloaded/used from the distribution, but freshclam can download new signature files outside of portage, and now portage does not know if the files were corrupted or not post installation - it assumes so because they no longer match what they were initially installed with.
> 
> However freshclam should not be downloading to DISTDIR...what is the exact error and what program is reporting the corruption?

 

As far as I can tell freshclam didn't download to DISTDIR. I just scanned / recursively and clamav complained about gdk-pixbuf and emerge -pv --depclean gdk-pixbuf shows that it is being pulled in by about 20 packages. That's why I wanted to start by removing the distfile and not by unmerging gdk-pixbuf.

----------

## Jaglover

Probably false positive. I doubt your distfile(s) are actually compromised.

----------

## xanderal

 *Jaglover wrote:*   

> Probably false positive. I doubt your distfile(s) are actually compromised.

 

You might be right. What I can say is that I reinstalled gentoo a couple of days ago (for unrelated reasons) and clamav flagged that file on the earlier gentoo install, too.

So, if you're right, clamav has had this false positive for at least a couple of weeks (yes, I didn't react all that fast...)

----------

## Ant P.

ClamAV is detecting a GIF testcase for a fix for the exploit it was supposed to be protecting from.

This antivirus software is worse than useless… if it were taken as truth, you would now be running software vulnerable to that malware. And would most likely be completely unprotected: who scans every image they encounter on the internet before viewing it?

----------

## eccerr0r

 *Ant P. wrote:*   

> who scans every image they encounter on the internet before viewing it?

 

And that's why McAfee is so slow...

----------

## xanderal

 *eccerr0r wrote:*   

> You can safely remove files from there - portage will automatically redownload files stored there as needed

 

Thanks. I deleted the file and everything is good now  :Wink: 

----------

