Bioconductor / Rsamtools

Binary alignment (BAM), FASTA, variant call (BCF), and tabix file import
https://bioconductor.org/packages/Rsamtools
Other
27 stars 27 forks source link

CVE_2012_1461-1 FOUND #11

Closed mmahmoudian closed 5 years ago

mmahmoudian commented 5 years ago

I just dug these out of my ClamAV log files:

/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/ex1.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/tagfilter.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/no_which_buffered_pileup.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/example.gtf.gz.tbi: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/example.gtf.gz: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/querybins.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/example_from_SAM_Spec.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/revbins.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/ex1.bcf.bci: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/tiny.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/ex1.bcf: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/no_which_whole_file.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/unitTests/cases/ex1_unsort.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/unitTests/cases/plp_refskip.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/unitTests/cases/ex1_noindex.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/unitTests/cases/ex1_shuf1000.bam: PUA.Win.Exploit.CVE_2012_1461-1 FOUND

To save you some time, this is the CVE's page: https://nvd.nist.gov/vuln/detail/CVE-2012-1461 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1461

Considering that almost all of them are data files, they should be audited before inclusion to the package.

mtmorgan commented 5 years ago

Have you confirmed that these are not false positives? This seems simply to be reporting that these are compressed files with multiple streams, which is what all bam files are?

mmahmoudian commented 5 years ago

I'm not sure if they are legit or false-positive, but i found a post that someone said:

By definition, there is no such thing as a False Positive PUA nor is PUA considered to be infected. http://www.clamav.net/documents/potentially-unwanted-applications-pua.

Based on the description of CVE-2012-1461 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1461 I'd guess it has something > to do with the way that file was compressed that might allow it to be bypass malware detection by a number of A-V scanners, which simply makes it suspicious.

based on another suggestion on the page, I submitted the whole package to VirusTotal: https://www.virustotal.com/gui/url/eb7abfb1a6b86e43c03d35c88a3a793d4cfe6a6baa37ad99e9b54929746722cb/detection

but clearly nothing was detected, simply because the package does not contain these bam files (they should be in a folder named "extdata" and "unitTests":

 ~/tmp/Rsamtools   ls -al
total 76K
drwxrwxr-x  9 mehrad mehrad 4,0K syys  24 15:44 .
drwxrwxr-x 10 mehrad mehrad 4,0K syys  24 15:44 ..
drwxr-xr-x  2 mehrad mehrad 4,0K syys  20 02:56 build
-rw-r--r--  1 mehrad mehrad 1,6K syys  20 02:56 DESCRIPTION
drwxr-xr-x  6 mehrad mehrad 4,0K syys  20 02:56 inst
-rw-r--r--  1 mehrad mehrad 1,2K touko  2 23:56 LICENSE
drwxr-xr-x  2 mehrad mehrad 4,0K touko  2 23:56 man
-rw-r--r--  1 mehrad mehrad 7,9K touko  2 23:56 migration_notes.md
-rw-r--r--  1 mehrad mehrad 1,4K touko  2 23:56 NAMESPACE
-rw-r--r--  1 mehrad mehrad  15K touko  2 23:56 NEWS
drwxr-xr-x  2 mehrad mehrad 4,0K touko  2 23:56 R
-rw-r--r--  1 mehrad mehrad  581 touko  2 23:56 README.md
drwxr-xr-x  2 mehrad mehrad 4,0K syys  20 02:56 src
drwxr-xr-x  2 mehrad mehrad 4,0K touko  2 23:56 tests
drwxr-xr-x  2 mehrad mehrad 4,0K syys  20 02:56 vignettes

I also dug out one of these files and submitted it to the VirusTotal: https://www.virustotal.com/gui/file/2faaad659823e28c459c96c7c89f44661e9f6a7100d411d0eac68e48a86085fb/detection Which seems to be clean as well, but according to the definition of this CVE, the compression method might make some AV software to have False-negative, hence this gets out of my expertise at this point and I think more security oriented people should take this to the next step.

mtmorgan commented 5 years ago

the files are included in the source code and in the built package -- inst/ is a directory. If the virus tool is simply responding to the fact that the file is compressed, then we're on the same page; the files are compressed! For the bam files, this is part of the file definition.

Since the files do not contain viruses, the claim that they do or might is false.

I'll close the issue but if there are more concrete indications of problem I will happily respond further.

mmahmoudian commented 5 years ago

Thank you for your quick response top the whole issue.

Since the files do not contain viruses, the claim that they do or might is false.

The issue is we don't know if they contain virus or not! The ClamAV does not throw such "detection" to all compressed files (even encrypted ones, as in all 1TB files I have on my computer, only these have been detected!

Regardless, I cannot prove or disprove of the safety of these files, and since I can do little to nothing about this package I will completely remove if from all my pipelines, computer, and cluster until I get reassured these external files are safe or removed from the package.

Cheers,

mtmorgan commented 5 years ago

ok; I'm not sure what you're looking for in terms of reassurance, it seems like your own attempts say that they do not contain viruses, and as the maintainer of the package I'm telling you they don't contain viruses... I don't know what your 1TB files are, presumably you mean bam files?

To add a bit more, when R packages are installed, files below inst/ are moved to the top level of the installed package. So on your system

/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/ex1.bam

has been moved from inst/extdata/ex1.bam in the source directory and tar ball that you submitted for scanning. The following shows the location of the ex1.bam file in the tarball that you scanned

/tmp$ wget https://bioconductor.org/packages/release/bioc/src/contrib/Rsamtools_2.0.1.tar.gz
--2019-09-24 14:41:06--  https://bioconductor.org/packages/release/bioc/src/contrib/Rsamtools_2.0.1.tar.gz
Resolving bioconductor.org (bioconductor.org)... 13.33.73.76, 13.33.73.47, 13.33.73.96, ...
Connecting to bioconductor.org (bioconductor.org)|13.33.73.76|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3033079 (2.9M) [application/x-gzip]
Saving to: ‘Rsamtools_2.0.1.tar.gz’

Rsamtools_2.0.1.tar.gz  100%[============================>]   2.89M  7.55MB/s    in 0.4s

2019-09-24 14:41:07 (7.55 MB/s) - ‘Rsamtools_2.0.1.tar.gz’ saved [3033079/3033079]

/tmp$ tar tzf Rsamtools_2.0.1.tar.gz |grep ex1.bam
Rsamtools/inst/extdata/ex1.bam
Rsamtools/inst/extdata/ex1.bam.bai

The file is also available directly at

https://github.com/Bioconductor/Rsamtools/blob/master/inst/extdata/ex1.bam

although strictly speaking this is a clone of the Bioconductor git repository and the packages are built nightly from the (secure) checkout

git clone https://git.bioconductor.org/packages/Rsamtools

and published securely to our public repositories.