Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877495 - games-action/polymc: upstream project hijacked
Summary: games-action/polymc: upstream project hijacked
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2022-10-17 20:00 UTC by Enne Eziarc
Modified: 2022-11-06 13:35 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Enne Eziarc 2022-10-17 20:00:50 UTC
A Freenode-esque hostile takeover of the project is presently unfolding[1][2]. Recommend p.masking (-9999 at least) and last-riting as it's only downhill from here.

games-action/multimc-bin is still in portage as a migration path.

[1]: https://floss.social/@modrinth/109185261746948078
[2]: https://github.com/PolyMC/PolyMC/commit/ccf282593dcdbe189c99b81b8bc90cb203aed3ee
Comment 1 Larry the Git Cow gentoo-dev 2022-10-17 20:10:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b211050943eeda2974b0f54538b6e9245825a7e

commit 4b211050943eeda2974b0f54538b6e9245825a7e
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2022-10-17 20:09:14 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2022-10-17 20:09:50 +0000

    games-action/polymc: drop 9999
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 games-action/polymc/polymc-9999.ebuild | 147 ---------------------------------
 1 file changed, 147 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 20:10:32 UTC
Is there any way that the compromise can affect the non-live package in Gentoo?
Comment 3 Nowa Ammerlaan gentoo-dev 2022-10-17 20:13:55 UTC
I'm dropping 9999 until the situation resolves itself. I think we can keep the release version 1.4.2 because we check the hash of the download tarball so if there is any tampering there we will know.
Comment 4 Larry the Git Cow gentoo-dev 2022-10-17 20:16:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3fe899821fbdc51e18734a39c259a3709744792

commit c3fe899821fbdc51e18734a39c259a3709744792
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2022-10-17 20:15:45 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2022-10-17 20:15:45 +0000

    profiles: mask polymc-9999
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 profiles/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 5 Nowa Ammerlaan gentoo-dev 2022-10-17 20:17:54 UTC
(In reply to John Helmert III from comment #2)
> Is there any way that the compromise can affect the non-live package in
> Gentoo?

I'm pretty sure we should be fine on the non-live packages. AFAIK the software does not interact with any servers they own. @flowlnlnln can you confirm this?
Comment 6 Thiago 2022-10-17 20:20:50 UTC
sorry im not home to take care of this. yes the launcher does interact with the meta server thats also hijacked. users should at least change it under the launcher api settings to prevent anything bad...
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 20:22:43 UTC
(In reply to Thiago from comment #6)
> sorry im not home to take care of this. yes the launcher does interact with
> the meta server thats also hijacked. users should at least change it under
> the launcher api settings to prevent anything bad...

Should we mask the whole package then?
Comment 8 Thiago 2022-10-17 20:23:47 UTC
probably, but still current users should change that too
Comment 9 Enne Eziarc 2022-10-17 20:24:30 UTC
(In reply to Thiago from comment #6)
> sorry im not home to take care of this. yes the launcher does interact with
> the meta server thats also hijacked. users should at least change it under
> the launcher api settings to prevent anything bad...

Oh, that's a bother. I thought its third-party integration was limited to pastebin log uploading.

Thanks all for the extremely quick response.
Comment 10 Larry the Git Cow gentoo-dev 2022-10-17 20:28:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d82e59ee8de932522b8282d3f144aaa3cb56a2cd

commit d82e59ee8de932522b8282d3f144aaa3cb56a2cd
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2022-10-17 20:27:34 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2022-10-17 20:27:34 +0000

    profiles: mask all versions of polymc
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 profiles/package.mask | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
Comment 11 Michael Crawford (ali3nx) 2022-10-17 21:35:46 UTC
Summary additions to this issue to add viewed by referring to public comments regarding these events.

The current github project "owner" appears to be transphobic and the questionable "hostile" takeover appears to surround deletion of a code of conduct from the git project repo.   
  
https://github.com/PolyMC/PolyMC/commit/ccf282593dcdbe189c99b81b8bc90cb203aed3ee
https://www.reddit.com/r/PolyMCLauncher/comments/y6k4x7/switch_off_of_polymc_asap/  
  
Currently there doesn't appear to be a security concern. Just poor morality concerns that understandably triggered a LOT of more socially accepting humanoids.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 21:45:50 UTC
(In reply to Michael Crawford (ali3nx) from comment #11)
> Summary additions to this issue to add viewed by referring to public
> comments regarding these events.

Worth noting that all other project members have been removed by the organisation, including the Gentoo maintainer.
Comment 13 Michael Crawford (ali3nx) 2022-10-17 22:03:13 UTC
(In reply to Sam James from comment #12)
> (In reply to Michael Crawford (ali3nx) from comment #11)
> > Summary additions to this issue to add viewed by referring to public
> > comments regarding these events.
> 
> Worth noting that all other project members have been removed by the
> organisation, including the Gentoo maintainer.

that is certainly a valid a concern. There's currently no vulnerable code commits but that may yet still occur.

I suspect Github could possibly become involved in restoring the project to responsible contributors if enough people made some noise about it surrounding the concerns within the context of the true root cause but until that happens if it does someone succeeded at ruining support for a useful software project.
Comment 14 Enne Eziarc 2022-10-17 22:06:47 UTC
(In reply to Michael Crawford (ali3nx) from comment #13)
> (In reply to Sam James from comment #12)
> > (In reply to Michael Crawford (ali3nx) from comment #11)
> > > Summary additions to this issue to add viewed by referring to public
> > > comments regarding these events.
> > 
> > Worth noting that all other project members have been removed by the
> > organisation, including the Gentoo maintainer.
> 
> that is certainly a valid a concern. There's currently no vulnerable code
> commits but that may yet still occur.
> 
> I suspect Github could possibly become involved in restoring the project to
> responsible contributors if enough people made some noise about it
> surrounding the concerns within the context of the true root cause but until
> that happens if it does someone succeeded at ruining support for a useful
> software project.

As hinted upthread (comment #6), this program is basically a vehicle for LD_PRELOAD-over-http, and the server that provides that arbitrary code is also compromised. That's pretty much game over as far as fixing it.
Comment 15 Joshua Goins 2022-10-18 01:00:47 UTC
(In reply to Michael Crawford (ali3nx) from comment #11)
> Summary additions to this issue to add viewed by referring to public
> comments regarding these events.
> 
> The current github project "owner" appears to be transphobic and the
> questionable "hostile" takeover appears to surround deletion of a code of
> conduct from the git project repo.   
>   
> Currently there doesn't appear to be a security concern. Just poor morality
> concerns that understandably triggered a LOT of more socially accepting
> humanoids.

I wanted to pop in some context from someone who was a very, very early contributor to the project, for example the About page was overhauled by me, along with submitting some bugfixes. I'm still sitting on patches for enabling system icons too :-p

This is nothing surprising at all unfortunately. I interacted with Lenny very little, but he definitely stood out as someone unprofessional right from the get-go. He's not even a major code contributor either, it's all held up by devs like Scrumplex, even from the very beginning. It's just unfortunate all of these Minecraft launchers seem to have this bad attitude around them. I know game modding in general is not a highly regarded community, but Minecraft seems to draw out the worst people it seems.
Comment 16 Thiago 2022-10-18 01:42:11 UTC
To clarify what is going on, and what will likely happen to this package:

Considering all that's happened until now, it seems very unlikely that we'll get back the PolyMC project as a whole. Instead, me, the previous maintainers that weren't involved in this incident, and a couple other trustworthy people, will probably be forking PolyMC for good.

For now, it's still very early to know what will happen for sure, but my plan is to remove the polymc package from the repos, since it's not trustworthy anymore, and *if* a more robust / trustworthy governance over the new project / fork can be achieved, such that this sort of problem won't happen again by any means, then it could perhaps be repackaged as the new fork. It would probably take some time for things to shape up and for the trust to be regained... Perhaps it could be placed in the GURU repo or something, I don't know.

Sorry to all the Gentoo people who had to deal with this situation... You are amazing. :)
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-18 15:53:31 UTC
Thiago, as soon as you have something ready to roll, please submit it to ::gentoo and we'll get it in. No need to go via guru. Thanks for your work!
Comment 18 Larry the Git Cow gentoo-dev 2022-10-20 04:25:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cacfa151958efec7c8e5f893e98809e15d6b0c28

commit cacfa151958efec7c8e5f893e98809e15d6b0c28
Author:     Thiago Donato Ferreira <flowlnlnln@gmail.com>
AuthorDate: 2022-10-19 22:03:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-20 04:22:23 +0000

    games-action/prismlauncher: add 5.0
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Thiago Donato Ferreira <flowlnlnln@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/27860
    Signed-off-by: Sam James <sam@gentoo.org>

 games-action/prismlauncher/Manifest                |   1 +
 .../prismlauncher/prismlauncher-5.0.ebuild         | 147 +++++++++++++++++++++
 2 files changed, 148 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a56bea75ed3a0b6795a4c2446422ef38367e13a6

commit a56bea75ed3a0b6795a4c2446422ef38367e13a6
Author:     Thiago Donato Ferreira <flowlnlnln@gmail.com>
AuthorDate: 2022-10-19 00:13:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-20 04:22:22 +0000

    games-action/prismlauncher: new package, add 9999
    
    This is mostly an adaptation of the games-action/polymc ebuild,
    considering we're a 2-day old fork of it.
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Thiago Donato Ferreira <flowlnlnln@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 games-action/prismlauncher/metadata.xml            |  26 ++++
 .../prismlauncher/prismlauncher-9999.ebuild        | 143 +++++++++++++++++++++
 2 files changed, 169 insertions(+)
Comment 19 Larry the Git Cow gentoo-dev 2022-10-20 04:26:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5dfb24525e2b5ef596fd03e1fd2bdf5e241f4ada

commit 5dfb24525e2b5ef596fd03e1fd2bdf5e241f4ada
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-20 04:26:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-20 04:26:31 +0000

    profiles: mention games-action/prismlauncher as polymc alternative
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
Comment 20 Larry the Git Cow gentoo-dev 2022-10-20 07:33:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ea86dea4fb6a07406c7a76f48f2b96275bcda37

commit 3ea86dea4fb6a07406c7a76f48f2b96275bcda37
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2022-10-20 07:30:12 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2022-10-20 07:30:12 +0000

    package.mask: last-rites games-action/polymc
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 profiles/package.mask | 3 +++
 1 file changed, 3 insertions(+)
Comment 21 Carson Rueter 2022-10-20 22:23:26 UTC
It seems a bit far-fetched to say that someone would push malicious code to a public, open source project, for everyone to see, knowing that it's highly illegal and could land them in jail for a few years. And I can confirm that Lenny has not been compromised, everything done was of his own volition, and will be making sure that no malicious code ever lands into PolyMC. I will also vet each release and make sure it's legit.
Comment 22 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-20 22:34:13 UTC
(In reply to Carson Rueter from comment #21)
> It seems a bit far-fetched to say that someone would push malicious code to
> a public, open source project, for everyone to see, knowing that it's highly
> illegal and could land them in jail for a few years. And I can confirm that
> Lenny has not been compromised, everything done was of his own volition, and
> will be making sure that no malicious code ever lands into PolyMC. I will
> also vet each release and make sure it's legit.

Regardless of your opinion of the guy, PolyMC isn't the same project as it was before. With developers going elsewhere, there's really no reason to keep it around.
Comment 23 Carson Rueter 2022-10-20 22:47:38 UTC
(In reply to John Helmert III from comment #22)
> (In reply to Carson Rueter from comment #21)
> > It seems a bit far-fetched to say that someone would push malicious code to
> > a public, open source project, for everyone to see, knowing that it's highly
> > illegal and could land them in jail for a few years. And I can confirm that
> > Lenny has not been compromised, everything done was of his own volition, and
> > will be making sure that no malicious code ever lands into PolyMC. I will
> > also vet each release and make sure it's legit.
> 
> Regardless of your opinion of the guy, PolyMC isn't the same project as it
> was before. With developers going elsewhere, there's really no reason to
> keep it around.

There are still, however, a variety of people who will continue to use PolyMC. The amount of people who will continue is significant enough, in my opinion, to warrant keeping this ebuild around.
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-20 22:53:51 UTC
(In reply to Carson Rueter from comment #23)
> There are still, however, a variety of people who will continue to use
> PolyMC. The amount of people who will continue is significant enough, in my
> opinion, to warrant keeping this ebuild around.

Someone will need to volunteer to maintain it in Gentoo then.
Comment 25 Enne Eziarc 2022-10-20 22:55:08 UTC
(In reply to Carson Rueter from comment #23)
> There are still, however, a variety of people who will continue to use
> PolyMC. The amount of people who will continue is significant enough, in my
> opinion, to warrant keeping this ebuild around.

I'll cut through the bullshit for the benefit of everyone else here: you're only here because you're incandescent over no longer having proxy-maintainer control over an ebuild in ::gentoo, and possibly because your troll buddy egged you on to throw a tantrum. You assume everyone here is a gullible idiot who'll buckle at the weakest rhetoric, and to be blunt, that's projection on your part.

Enjoy your ghost town of a github project and your unfunny 4chan memes, because you ain't ever getting this back.
Comment 26 Carson Rueter 2022-10-20 23:55:51 UTC
(In reply to Sam James from comment #24)
> (In reply to Carson Rueter from comment #23)
> > There are still, however, a variety of people who will continue to use
> > PolyMC. The amount of people who will continue is significant enough, in my
> > opinion, to warrant keeping this ebuild around.
> 
> Someone will need to volunteer to maintain it in Gentoo then.

I'm currently a proxy maintainer. Although if you mean someone with push access then yeah.
Comment 27 Carson Rueter 2022-10-21 00:22:23 UTC
(In reply to Enne Eziarc from comment #25)
> I'll cut through the bullshit for the benefit of everyone else here: you're
> only here because you're incandescent over no longer having proxy-maintainer
> control over an ebuild in ::gentoo, and possibly because your troll buddy
> egged you on to throw a tantrum. You assume everyone here is a gullible
> idiot who'll buckle at the weakest rhetoric, and to be blunt, that's
> projection on your part.
> 
> Enjoy your ghost town of a github project and your unfunny 4chan memes,
> because you ain't ever getting this back.

Does that have any relevance to the fact that PolyMC has a user base that would find an ebuild useful?
Comment 28 Nowa Ammerlaan gentoo-dev 2022-10-21 08:10:03 UTC
> There are still, however, a variety of people who will continue to use
> PolyMC. The amount of people who will continue is significant enough, in my
> opinion, to warrant keeping this ebuild around.

> Does that have any relevance to the fact that PolyMC has a user base that
> would find an ebuild useful?

IMO, since most of the development has moved it makes sense for the users to also move to the new fork. Maintaining ebuilds for both versions is double the work, for no extra benefit.

That being said, if someone is willing to put in this extra effort they are free to do so. Just don't expect me to act as a proxy for that, because I for one won't be rewarding Lenny's toxic and unprofessional behaviour by continuing to package polymc when there is a perfectly fine fork available.

@Carson is right though about this not really being a security bug any more. The initial concerns were that a malicious individual had gained access to one of the developers accounts. Now we know that this is not the case, and that this is a case of toxic and unprofessional behaviour and not necessarily a security leak. I think it therefore makes sense to re-assign the bug.
Comment 29 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 14:34:25 UTC
I think this *is* a security issue, given https://bugs.gentoo.org/877495#c14. However, given there's no any clear attempt at exploitation, there not much more we can do here but wait for last rites to expire.
Comment 30 Carson Rueter 2022-10-21 20:15:40 UTC
(In reply to Andrew Ammerlaan from comment #28)
> IMO, since most of the development has moved it makes sense for the users to
> also move to the new fork. Maintaining ebuilds for both versions is double
> the work, for no extra benefit.
> 
> That being said, if someone is willing to put in this extra effort they are
> free to do so. Just don't expect me to act as a proxy for that, because I
> for one won't be rewarding Lenny's toxic and unprofessional behaviour by
> continuing to package polymc when there is a perfectly fine fork available.

Yeah I'm willing to continue ebuild maintenance here. If not, I can still create my own overlay.
Comment 31 Larry the Git Cow gentoo-dev 2022-11-06 07:59:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19a8f17595a0e1717879a2f2626d13da2dbabc6f

commit 19a8f17595a0e1717879a2f2626d13da2dbabc6f
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2022-11-06 07:59:23 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2022-11-06 07:59:45 +0000

    games-action/polymc: treeclean
    
    Bug: https://bugs.gentoo.org/877495
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 games-action/polymc/Manifest                       |   1 -
 .../polymc/files/polymc-1.4.1-include_QDebug.patch |  16 ---
 games-action/polymc/metadata.xml                   |  29 -----
 games-action/polymc/polymc-1.4.2-r2.ebuild         | 135 ---------------------
 profiles/package.mask                              |  11 --
 5 files changed, 192 deletions(-)
Comment 32 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-06 13:30:50 UTC
Thanks all! All done here, though I wonder if there's any use in keeping the package.mask entry a bit longer just in case.
Comment 33 Carson Rueter 2022-11-06 13:35:04 UTC
I explicitly said I would take over maintainership, and that generally means that you shouldn't delete the entire package. Disappointed in the lack of respect, but no matter, I suppose I'll make an overlay.