You are not logged in.

#1 2023-04-19 02:35:31

rk_au
Member
Registered: 2023-04-19
Posts: 7

[SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

Hello,

I ran the following command to scan my system for viruses:

clamscan --max-filesize=4000M --recursive --infected --exclude-dir='^/sys|^/dev' /

After the scan, clamscan reported that it found Java.Exploit.CVE_2013_1488-2 in the file

/var/lib/pacman/sync/community.files

The SHA256 hash of the file is

2dea395d60c549225f83adf50f6f66c5a0407a93eb23203898718df12afb9cdb

I'm wondering if this is a normal result, or if my system has been compromised. Can someone please advise? Thank you.

Last edited by rk_au (2023-04-20 05:35:21)

Offline

#2 2023-04-19 05:36:53

Ferdinand
Member
From: Norway
Registered: 2020-01-02
Posts: 338

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

Welcome to the forum, rk_au smile

The *.db files in /var/lib/pacman/sync are the pacman database files, and gets updated by the "y" option when you do

# pacman -Syu

I don't know about the *.files files - I can't find any info on them specifically - but being placed where they are, most likely they are also a part of the pacman database. I would assume maybe being used for the file lookup, when you do

$ pacman -F somefile

except they're not exactly updated often; I installed Arch on December 10, 2020, and these are my file dates:

$ ls -l /var/lib/pacman/sync
total 42M
-rw-r--r-- 1 root root 7,3M 19.04.2023 04:49 community.db
-rw-r--r-- 1 root root  23M 05.04.2021 07:32 community.files
-rw-r--r-- 1 root root 154K 16.04.2023 21:53 core.db
-rw-r--r-- 1 root root 897K 04.04.2021 22:22 core.files
-rw-r--r-- 1 root root 1,8M 18.04.2023 23:55 extra.db
-rw-r--r-- 1 root root 9,3M 05.04.2021 02:23 extra.files

Anyway, considering that the files are part of the pacman database, and unlikely to be executed in any way, I'm fairly sure you have a false positive - and considering this pacman troubleshooting tip, I'd say rename the file and upgrade, and delete it if all went well.

It would be interesting if someone more knowledgeable would share info on what those *.files files are, though smile

Last edited by Ferdinand (2023-04-19 05:39:52)

Offline

#3 2023-04-19 12:19:32

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,936

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

Those *.files do need to be updated manually .

man pacman wrote:

-F, --files
           Query the files database. This operation allows you to look for packages owning certain files or display files owned
           by certain packages. Only packages that are part of your sync databases are searched. See File Options below.

FILE OPTIONS (APPLY TO -F)
       -y, --refresh
           Download fresh package databases from the server. Use twice to force a refresh even if databases are up to date.

       -l, --list
           List the files owned by the queried package.

       -x, --regex
           Interpret each query as a regular expression.

       -q, --quiet
           Show less information for certain file operations. This is useful when pacman’s output is processed in a script,
           however, you may want to use --machinereadable instead.

       --machinereadable
           Print each match in a machine readable output format. The format is repository\0pkgname\0pkgver\0path\n with \0 being
           the NULL character and \n a linefeed.

Given the age of the CVE and the relation to a java version that hasn't been in use for atleast 5 years, it's 99.9% chance for a false positive.
However if you want to verify it , upload the file to https://www.virustotal.com/gui/ .

Last edited by Lone_Wolf (2023-04-19 12:20:58)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#4 2023-04-19 16:00:10

rk_au
Member
Registered: 2023-04-19
Posts: 7

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

Ferdinand wrote:

Welcome to the forum, rk_au smile

The *.db files in /var/lib/pacman/sync are the pacman database files, and gets updated by the "y" option when you do

# pacman -Syu

I don't know about the *.files files - I can't find any info on them specifically - but being placed where they are, most likely they are also a part of the pacman database. I would assume maybe being used for the file lookup, when you do

$ pacman -F somefile

except they're not exactly updated often; I installed Arch on December 10, 2020, and these are my file dates:

$ ls -l /var/lib/pacman/sync
total 42M
-rw-r--r-- 1 root root 7,3M 19.04.2023 04:49 community.db
-rw-r--r-- 1 root root  23M 05.04.2021 07:32 community.files
-rw-r--r-- 1 root root 154K 16.04.2023 21:53 core.db
-rw-r--r-- 1 root root 897K 04.04.2021 22:22 core.files
-rw-r--r-- 1 root root 1,8M 18.04.2023 23:55 extra.db
-rw-r--r-- 1 root root 9,3M 05.04.2021 02:23 extra.files

Anyway, considering that the files are part of the pacman database, and unlikely to be executed in any way, I'm fairly sure you have a false positive - and considering this pacman troubleshooting tip, I'd say rename the file and upgrade, and delete it if all went well.

It would be interesting if someone more knowledgeable would share info on what those *.files files are, though smile

Lone_Wolf wrote:

Those *.files do need to be updated manually .

man pacman wrote:

-F, --files
           Query the files database. This operation allows you to look for packages owning certain files or display files owned
           by certain packages. Only packages that are part of your sync databases are searched. See File Options below.

FILE OPTIONS (APPLY TO -F)
       -y, --refresh
           Download fresh package databases from the server. Use twice to force a refresh even if databases are up to date.

       -l, --list
           List the files owned by the queried package.

       -x, --regex
           Interpret each query as a regular expression.

       -q, --quiet
           Show less information for certain file operations. This is useful when pacman’s output is processed in a script,
           however, you may want to use --machinereadable instead.

       --machinereadable
           Print each match in a machine readable output format. The format is repository\0pkgname\0pkgver\0path\n with \0 being
           the NULL character and \n a linefeed.

Given the age of the CVE and the relation to a java version that hasn't been in use for atleast 5 years, it's 99.9% chance for a false positive.
However if you want to verify it , upload the file to https://www.virustotal.com/gui/ .

Thank you both for your replies. After that, I used

pacman -Fy

to update the file and confirmed that its hash matched that in the mirror. I also added the parameter '--max-scansize=4000M' to the 'clamscan' command, as shown below:

clamscan --max-filesize=4000M --max-scansize=4000M --recursive --infected --exclude-dir='^/sys|^/dev' /var/lib/pacman/sync/community.files

I got the same result:

/var/lib/pacman/sync/community.files: Java.Exploit.CVE_2013_1488-2 FOUND

There was no problem found when I didn't add the '--max-scansize' parameter, and I also uploaded the file to VirusTotal, which didn't detect any issues. To confirm, I tried replacing the 'community.files' file with different versions from different mirrors, some of which had different hashes, but it seems that the same issue still exists. I'm not sure if it's a false positive or not.

https://mirrors.edge.kernel.org/archlinux/community/os/x86_64/community.files
https://www.virustotal.com/gui/file/90eb6019cc86cffd2dffe9f1575bbfd6d33ea74b4e0ce66771483e531ac9c64a/
http://archlinux.ccns.ncku.edu.tw/archlinux/community/os/x86_64/community.files
https://www.virustotal.com/gui/file/a0bb37671210fd135165cb50f0ce7e7870f2ba7f4ebc7092cc5cda7cea9df891/

Last edited by rk_au (2023-04-19 16:04:10)

Offline

#5 2023-04-19 19:50:39

loqs
Member
Registered: 2014-03-06
Posts: 18,045

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

rk_au wrote:

I'm not sure if it's a false positive or not.

Then report it to ClamAV and let them make that determination https://www.clamav.net/reports/fp

Offline

#6 2023-04-20 05:36:26

rk_au
Member
Registered: 2023-04-19
Posts: 7

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

loqs wrote:
rk_au wrote:

I'm not sure if it's a false positive or not.

Then report it to ClamAV and let them make that determination https://www.clamav.net/reports/fp

I have submitted the report and changed the title to [SOLVED]. Thank you for your suggestion.

Offline

Board footer

Powered by FluxBB