[SOLVED] Is openssl-1.0 package ok (not malware)?

karcher · 2022-12-20 22:10:49

Hi all

I've just updated my system with pacman and yay. There was 2 updates with yay, one of them was openssl-1.0 (https://aur.archlinux.org/packages/openssl-1.0) package. During the installation it asked me to import 2 PGP keys, which I did after I checked them with Google. I've also checked the PKGBUILD and I didnt find anything weird, but after the installation was completed I'm not sure if it was a good idea afterall for the following reasons:

1. I don't remember installing such a package
2. There is pacman package openssl
3. Popularity: 0.000000
4. First Submitted: 2022-12-20 20:54 (UTC) & Last Updated: 2022-12-20 20:54 (UTC)
5. orphan

Can someone please tell me what is going on with this package and if it's ok from a security perspective? In case it is indeed a some kind of malware, what should I do?

Last edited by karcher (2022-12-21 20:39:48)

skunktrader · 2022-12-20 22:21:46

If you check the AUR page you will see that there are 472 different packages that require it. You probably have one or more of these on your system

ewaller · 2022-12-20 22:22:22

What does pacman -Qi openssl-1.0 say about that package? How old is your system? it may be that that package used to be a dependency you installed and it no longer is.

karcher · 2022-12-20 22:38:53

Thanks both for the quick responses!

@ewaller: "What does pacman -Qi openssl-1.0 say about that package? "
I ll check tomorrow. I powered down the system till I get some insights.

"How old is your system?"
Some weeks old and openssl 1.0 is from 2010? (https://en.wikipedia.org/wiki/OpenSSL).

Is it normal that a package is First Submitted and Last Updated at the same time and above that orphan?

Last edited by karcher (2022-12-20 22:40:39)

V1del · 2022-12-20 23:06:38

It got recently dropped from the repos and moved to the AUR. The "current" packager is Foxboron wo is a Trusted User and the PKGBUILD will basically be a one to one import from the repos.

karcher · 2022-12-21 10:56:06

@V1del: Thanks! I'm bit of relieved to hear that.

@ewaller: This is the output of "pacman -Qi openssl-1.0":

Name            : openssl-1.0
Version         : 1.0.2.u-3
Description     : The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
Architecture    : x86_64
URL             : https://www.openssl.org
Licenses        : custom:BSD
Groups          : None
Provides        : None
Depends On      : perl
Optional Deps   : ca-certificates [installed]
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 5.85 MiB
Packager        : Unknown Packager
Build Date      : Di 20 Dez 2022 22:40:42
Install Date    : Di 20 Dez 2022 22:42:43
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : None

"Install Reason : Installed as a dependency for another package".

Is there a way to find out which package this is?

The output of "pacman -Qii openssl-1.0" is almost identical to the output of "pacman -Qi openssl-1.0":

sudo pacman -Qii openssl-1.0
Name            : openssl-1.0
Version         : 1.0.2.u-3
Description     : The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
Architecture    : x86_64
URL             : https://www.openssl.org
Licenses        : custom:BSD
Groups          : None
Provides        : None
Depends On      : perl
Optional Deps   : ca-certificates [installed]
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 5.85 MiB
Packager        : Unknown Packager
Build Date      : Di 20 Dez 2022 22:40:42
Install Date    : Di 20 Dez 2022 22:42:43
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : None
Backup Files    :
(none)

I did "locate openssl-1.0" and found files like these:
"/home/user/.pyenv/versions/anaconda3-2022.05/pkgs/conda-4.12.0-py39h06a4308_0/info/test/tests/data/env_metadata/envpy27osx/conda-meta/openssl-1.0.2p-h1de35cc_0.json"

Can it be be that pyenv or anaconda installed openssl-1.0?

Last edited by karcher (2022-12-21 11:48:58)

twelveeighty · 2022-12-21 15:33:20

karcher wrote:

and yay.

This, in a nutshell, is why using an AUR helper such as yay is recommended against. You are so concerned about this you actually powered off your system, but at the same time you use a helper tool that will automatically install untrusted, unsigned and unsupported packages from the AUR. If you used the recommended method for keeping AUR packages up to date, you would have been fully aware of what is going on. Granted, a package you had installed and then dropped from the official repo to AUR would just have been used as-is and no longer updated automatically. But there are easy ways to detect packages like that, it does happen from time to time.

Lone_Wolf · 2022-12-21 17:17:44

Required By     : None
Optional For    : None
...
Install Reason  : Installed as a dependency for another package

Whatever package required openssl-1.0 as dependency is no longer present on your system .

I suggest you read https://wiki.archlinux.org/title/System_maintenance thoroughly and spend some time cleaning up your system .

DO NOT RUN JAY AGAIN until you have finished maintenance .

ewaller · 2022-12-21 18:28:17

Lone_Wolf wrote:

Whatever package required openssl-1.0 as dependency is no longer present on your system .

... or it is, but a recent update changed dependencies and it now depends on something beside openssl-1.0

In line with Lone_Wolf's link, take a look at the output of pacman -Qdt for things orphaned on your system. If all the files look rational, clean things up with
sudo pacman -Rs $(pacman -Qdtq)

I'll leave it as an exercise for the reader to look up what all those switches do.

karcher · 2022-12-21 20:39:27

@twelveeighty:

If you used the recommended method for keeping AUR packages up to date

Do you mean like this: 3 Installing and upgrading packages ? It seems to me that "yay -Suy" is much simpler.

@Lone_Wolf:

Whatever package required openssl-1.0 as dependency is no longer present on your system .

I finally removed it...

I suggest you read https://wiki.archlinux.org/title/System_maintenance thoroughly and spend some time cleaning up your system .
DO NOT RUN JAY AGAIN until you have finished maintenance .

I have now removed some other packages too, but you're right I have to do more about system maintenance...

@ewaller: OK. I have removed all orphaned packages.

Thank you all for your help!

Arch Linux

#1 2022-12-20 22:10:49

[SOLVED] Is openssl-1.0 package ok (not malware)?

#2 2022-12-20 22:21:46

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#3 2022-12-20 22:22:22

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#4 2022-12-20 22:38:53

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#5 2022-12-20 23:06:38

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#6 2022-12-21 10:56:06

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#7 2022-12-21 15:33:20

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#8 2022-12-21 17:17:44

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#9 2022-12-21 18:28:17

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

#10 2022-12-21 20:39:27

Re: [SOLVED] Is openssl-1.0 package ok (not malware)?

Board footer