OVE-20221017-0001: PolyMC appears to be compromised #196460
Comments
LunNova
added
the
1.severity: security
|
ccing maintainers @cleverca22 @starcraft66 |
|
Some additional information from the (now former) maintainers who were removed by Lenny Lennington. These messages are from the Discord server they made (Titled PlaceholderMC), as they work to fork the project (See the PlaceholderMC org and PlaceholderMC repository From #announcements: (Message link)
Also CCing some of the former PolyMC maintainers, who are in the PlaceholderMC discord: |
|
Can confirm |
|
Should we yank the package? Is there a patch we can apply to disable the online updating features to make it safe? |
The meta server seems to be configurable, and information is circulating about how to use the MultiMC metaserver instead: https://gist.github.com/Earthcomputer/dc65391f84a2c19ebac6c33506fd7751 -- but this by itself is probably not a workable solution for nixpkgs, given the history here. Not using a meta server at all doesn't appear to be an option (edit: it is, see @Infinidoge's notes below -- but I think this disables creation/editing of instances? if this is the case, maybe not good for a patch to the package), but the current full contents of the PolyMC meta server are available at https://github.com/PolyMC/meta-polymc -- anyone forking could use this + the update scripts at https://github.com/PolyMC/meta to populate a trusted meta server, it looks like. |
|
To effectively disable using the metadata server, you can fill the server setting box with garbage/a dead URL. (Settings -> APIs, Metadata Server) |
|
Instead of yanking, there's a |
|
We can make a PR after finishing up work in a few hours, I'd appreciate if someone else gets it sooner. |
|
Not using a metadata server will effectively make the launcher useless unless you already have instances created and don't intend to modify them. Since there doesn't seem to be any alternative meta-server other than the MultiMC one at the moment (afaik MultiMC is not okay with other launchers and forks using their official meta, correct me if I am wrong), I will put up a PR marking the package vulnerable for the time being. |
|
It looks like an-empty-string@9d27de8 was committed while I was typing this message, thanks. |
LunNova
changed the title
|
The other maintainers seem to have given up on regaining control and have created a new project: https://github.com/PlaceholderMC/PlaceholderMC |
This would make the launcher at least mostly unusable (though it might be cached for existing users). The game and mod loaders are downloaded via the meta repository. |
|
as for a possible patch, the binary could be renamed and replaced with a shellscript that sed's the url out of configs |
|
Regarding PlaceholderMC: We can re-brand the package once |
|
Probably best to keep this open as a tracking issue until we have a replacement? |
see #196460, https://xeiaso.net/blog/OVE-20221017-0001 (cherry picked from commit 9d27de8)
|
The PlaceholderMC developers have created a new Metadata Server which is not compromised: |
Can confirm! |
|
@oxalica nothing ever was compromised, just saying Edit: Yall should stop fucking lying to yourselves. Someone having different political views doesn't mean you can post false information online about them or their projects. |
There is a developing situation involving polymc, the package is potentially compromised.
PolyMC relies on meta files retrieved from
meta.polymc.orgto determine what jars (the java executable file format) to download when launching mod packs. Due to this online feature, it is not safe to continue using old versions of PolyMC if the maintainer has been compromised as these meta files could be updated to download a malicious jar.Here is an example of one of the meta files org.quiltmc.quilt-loader/0.17.5-beta.9.json. This file does not appear to be malicious, it is just here to demonstrate how the meta system works and why this is a problem.
Situation started with this commit PolyMC/PolyMC@ccf2825 and the owner dropping all other maintainers from the repo.
I do not know for sure whether this is an account hack or "just" drama / the owner going rogue, figured it's best to open this to track the situation. In either case a maintainer suddenly removing access from all other maintainers is a bad sign.
See also:
The text was updated successfully, but these errors were encountered: