Closed mmahmoudian closed 5 years ago
mtmorgan
commented
5 years ago Have you confirmed that these are not false positives? This seems simply to be reporting that these are compressed files with multiple streams, which is what all bam files are?
mmahmoudian
commented
5 years ago I'm not sure if they are legit or false-positive, but i found a post that someone said:
By definition, there is no such thing as a False Positive PUA nor is PUA considered to be infected. http://www.clamav.net/documents/potentially-unwanted-applications-pua.
Based on the description of CVE-2012-1461 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1461 I'd guess it has something > to do with the way that file was compressed that might allow it to be bypass malware detection by a number of A-V scanners, which simply makes it suspicious.
based on another suggestion on the page, I submitted the whole package to VirusTotal: https://www.virustotal.com/gui/url/eb7abfb1a6b86e43c03d35c88a3a793d4cfe6a6baa37ad99e9b54929746722cb/detection
but clearly nothing was detected, simply because the package does not contain these bam files (they should be in a folder named "extdata" and "unitTests":
~/tmp/Rsamtools ls -al
total 76K
drwxrwxr-x 9 mehrad mehrad 4,0K syys 24 15:44 .
drwxrwxr-x 10 mehrad mehrad 4,0K syys 24 15:44 ..
drwxr-xr-x 2 mehrad mehrad 4,0K syys 20 02:56 build
-rw-r--r-- 1 mehrad mehrad 1,6K syys 20 02:56 DESCRIPTION
drwxr-xr-x 6 mehrad mehrad 4,0K syys 20 02:56 inst
-rw-r--r-- 1 mehrad mehrad 1,2K touko 2 23:56 LICENSE
drwxr-xr-x 2 mehrad mehrad 4,0K touko 2 23:56 man
-rw-r--r-- 1 mehrad mehrad 7,9K touko 2 23:56 migration_notes.md
-rw-r--r-- 1 mehrad mehrad 1,4K touko 2 23:56 NAMESPACE
-rw-r--r-- 1 mehrad mehrad 15K touko 2 23:56 NEWS
drwxr-xr-x 2 mehrad mehrad 4,0K touko 2 23:56 R
-rw-r--r-- 1 mehrad mehrad 581 touko 2 23:56 README.md
drwxr-xr-x 2 mehrad mehrad 4,0K syys 20 02:56 src
drwxr-xr-x 2 mehrad mehrad 4,0K touko 2 23:56 tests
drwxr-xr-x 2 mehrad mehrad 4,0K syys 20 02:56 vignettesI also dug out one of these files and submitted it to the VirusTotal: https://www.virustotal.com/gui/file/2faaad659823e28c459c96c7c89f44661e9f6a7100d411d0eac68e48a86085fb/detection Which seems to be clean as well, but according to the definition of this CVE, the compression method might make some AV software to have False-negative, hence this gets out of my expertise at this point and I think more security oriented people should take this to the next step.
mtmorgan
commented
5 years ago the files are included in the source code and in the built package -- inst/ is a directory. If the virus tool is simply responding to the fact that the file is compressed, then we're on the same page; the files are compressed! For the bam files, this is part of the file definition.
Since the files do not contain viruses, the claim that they do or might is false.
I'll close the issue but if there are more concrete indications of problem I will happily respond further.
mmahmoudian
commented
5 years ago Thank you for your quick response top the whole issue.
Since the files do not contain viruses, the claim that they do or might is false.
The issue is we don't know if they contain virus or not! The ClamAV does not throw such "detection" to all compressed files (even encrypted ones, as in all 1TB files I have on my computer, only these have been detected!
Regardless, I cannot prove or disprove of the safety of these files, and since I can do little to nothing about this package I will completely remove if from all my pipelines, computer, and cluster until I get reassured these external files are safe or removed from the package.
Cheers,
mtmorgan
commented
5 years ago ok; I'm not sure what you're looking for in terms of reassurance, it seems like your own attempts say that they do not contain viruses, and as the maintainer of the package I'm telling you they don't contain viruses... I don't know what your 1TB files are, presumably you mean bam files?
To add a bit more, when R packages are installed, files below inst/ are moved to the top level of the installed package. So on your system
/home/mehrad/R/x86_64-pc-linux-gnu-library/3.4/Rsamtools/extdata/ex1.bamhas been moved from inst/extdata/ex1.bam in the source directory and tar ball that you submitted for scanning. The following shows the location of the ex1.bam file in the tarball that you scanned
/tmp$ wget https://bioconductor.org/packages/release/bioc/src/contrib/Rsamtools_2.0.1.tar.gz
--2019-09-24 14:41:06-- https://bioconductor.org/packages/release/bioc/src/contrib/Rsamtools_2.0.1.tar.gz
Resolving bioconductor.org (bioconductor.org)... 13.33.73.76, 13.33.73.47, 13.33.73.96, ...
Connecting to bioconductor.org (bioconductor.org)|13.33.73.76|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3033079 (2.9M) [application/x-gzip]
Saving to: ‘Rsamtools_2.0.1.tar.gz’
Rsamtools_2.0.1.tar.gz 100%[============================>] 2.89M 7.55MB/s in 0.4s
2019-09-24 14:41:07 (7.55 MB/s) - ‘Rsamtools_2.0.1.tar.gz’ saved [3033079/3033079]
/tmp$ tar tzf Rsamtools_2.0.1.tar.gz |grep ex1.bam
Rsamtools/inst/extdata/ex1.bam
Rsamtools/inst/extdata/ex1.bam.baiThe file is also available directly at
https://github.com/Bioconductor/Rsamtools/blob/master/inst/extdata/ex1.bamalthough strictly speaking this is a clone of the Bioconductor git repository and the packages are built nightly from the (secure) checkout
git clone https://git.bioconductor.org/packages/Rsamtoolsand published securely to our public repositories.
I just dug these out of my ClamAV log files:
To save you some time, this is the CVE's page: https://nvd.nist.gov/vuln/detail/CVE-2012-1461 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1461
Considering that almost all of them are data files, they should be audited before inclusion to the package.