[SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

rk_au · 2023-04-19 02:35:31

Hello,

I ran the following command to scan my system for viruses:

clamscan --max-filesize=4000M --recursive --infected --exclude-dir='^/sys|^/dev' /

After the scan, clamscan reported that it found Java.Exploit.CVE_2013_1488-2 in the file

/var/lib/pacman/sync/community.files

The SHA256 hash of the file is

2dea395d60c549225f83adf50f6f66c5a0407a93eb23203898718df12afb9cdb

I'm wondering if this is a normal result, or if my system has been compromised. Can someone please advise? Thank you.

Last edited by rk_au (2023-04-20 05:35:21)

Ferdinand · 2023-04-19 05:36:53

Welcome to the forum, rk_au

The *.db files in /var/lib/pacman/sync are the pacman database files, and gets updated by the "y" option when you do

# pacman -Syu

I don't know about the *.files files - I can't find any info on them specifically - but being placed where they are, most likely they are also a part of the pacman database. I would assume maybe being used for the file lookup, when you do

$ pacman -F somefile

except they're not exactly updated often; I installed Arch on December 10, 2020, and these are my file dates:

$ ls -l /var/lib/pacman/sync
total 42M
-rw-r--r-- 1 root root 7,3M 19.04.2023 04:49 community.db
-rw-r--r-- 1 root root  23M 05.04.2021 07:32 community.files
-rw-r--r-- 1 root root 154K 16.04.2023 21:53 core.db
-rw-r--r-- 1 root root 897K 04.04.2021 22:22 core.files
-rw-r--r-- 1 root root 1,8M 18.04.2023 23:55 extra.db
-rw-r--r-- 1 root root 9,3M 05.04.2021 02:23 extra.files

Anyway, considering that the files are part of the pacman database, and unlikely to be executed in any way, I'm fairly sure you have a false positive - and considering this pacman troubleshooting tip, I'd say rename the file and upgrade, and delete it if all went well.

It would be interesting if someone more knowledgeable would share info on what those *.files files are, though

Last edited by Ferdinand (2023-04-19 05:39:52)

Lone_Wolf · 2023-04-19 12:19:32

Those *.files do need to be updated manually .

man pacman wrote:

-F, --files
Query the files database. This operation allows you to look for packages owning certain files or display files owned
by certain packages. Only packages that are part of your sync databases are searched. See File Options below.
FILE OPTIONS (APPLY TO -F)
-y, --refresh
Download fresh package databases from the server. Use twice to force a refresh even if databases are up to date.
-l, --list
List the files owned by the queried package.
-x, --regex
Interpret each query as a regular expression.
-q, --quiet
Show less information for certain file operations. This is useful when pacman’s output is processed in a script,
however, you may want to use --machinereadable instead.
--machinereadable
Print each match in a machine readable output format. The format is repository\0pkgname\0pkgver\0path\n with \0 being
the NULL character and \n a linefeed.

Given the age of the CVE and the relation to a java version that hasn't been in use for atleast 5 years, it's 99.9% chance for a false positive.
However if you want to verify it , upload the file to https://www.virustotal.com/gui/ .

Last edited by Lone_Wolf (2023-04-19 12:20:58)

rk_au · 2023-04-19 16:00:10

Ferdinand wrote:

Welcome to the forum, rk_au
The *.db files in /var/lib/pacman/sync are the pacman database files, and gets updated by the "y" option when you do
# pacman -Syu
I don't know about the *.files files - I can't find any info on them specifically - but being placed where they are, most likely they are also a part of the pacman database. I would assume maybe being used for the file lookup, when you do
$ pacman -F somefile
except they're not exactly updated often; I installed Arch on December 10, 2020, and these are my file dates:
$ ls -l /var/lib/pacman/sync
total 42M
-rw-r--r-- 1 root root 7,3M 19.04.2023 04:49 community.db
-rw-r--r-- 1 root root  23M 05.04.2021 07:32 community.files
-rw-r--r-- 1 root root 154K 16.04.2023 21:53 core.db
-rw-r--r-- 1 root root 897K 04.04.2021 22:22 core.files
-rw-r--r-- 1 root root 1,8M 18.04.2023 23:55 extra.db
-rw-r--r-- 1 root root 9,3M 05.04.2021 02:23 extra.files
Anyway, considering that the files are part of the pacman database, and unlikely to be executed in any way, I'm fairly sure you have a false positive - and considering this pacman troubleshooting tip, I'd say rename the file and upgrade, and delete it if all went well.
It would be interesting if someone more knowledgeable would share info on what those *.files files are, though

Lone_Wolf wrote:

Those *.files do need to be updated manually .
man pacman wrote:
-F, --files
Query the files database. This operation allows you to look for packages owning certain files or display files owned
by certain packages. Only packages that are part of your sync databases are searched. See File Options below.
FILE OPTIONS (APPLY TO -F)
-y, --refresh
Download fresh package databases from the server. Use twice to force a refresh even if databases are up to date.
-l, --list
List the files owned by the queried package.
-x, --regex
Interpret each query as a regular expression.
-q, --quiet
Show less information for certain file operations. This is useful when pacman’s output is processed in a script,
however, you may want to use --machinereadable instead.
--machinereadable
Print each match in a machine readable output format. The format is repository\0pkgname\0pkgver\0path\n with \0 being
the NULL character and \n a linefeed.
Given the age of the CVE and the relation to a java version that hasn't been in use for atleast 5 years, it's 99.9% chance for a false positive.
However if you want to verify it , upload the file to https://www.virustotal.com/gui/ .

Thank you both for your replies. After that, I used

pacman -Fy

to update the file and confirmed that its hash matched that in the mirror. I also added the parameter '--max-scansize=4000M' to the 'clamscan' command, as shown below:

clamscan --max-filesize=4000M --max-scansize=4000M --recursive --infected --exclude-dir='^/sys|^/dev' /var/lib/pacman/sync/community.files

I got the same result:

/var/lib/pacman/sync/community.files: Java.Exploit.CVE_2013_1488-2 FOUND

There was no problem found when I didn't add the '--max-scansize' parameter, and I also uploaded the file to VirusTotal, which didn't detect any issues. To confirm, I tried replacing the 'community.files' file with different versions from different mirrors, some of which had different hashes, but it seems that the same issue still exists. I'm not sure if it's a false positive or not.

https://mirrors.edge.kernel.org/archlinux/community/os/x86_64/community.files
https://www.virustotal.com/gui/file/90eb6019cc86cffd2dffe9f1575bbfd6d33ea74b4e0ce66771483e531ac9c64a/

http://archlinux.ccns.ncku.edu.tw/archlinux/community/os/x86_64/community.files
https://www.virustotal.com/gui/file/a0bb37671210fd135165cb50f0ce7e7870f2ba7f4ebc7092cc5cda7cea9df891/

Last edited by rk_au (2023-04-19 16:04:10)

loqs · 2023-04-19 19:50:39

rk_au wrote:

I'm not sure if it's a false positive or not.

Then report it to ClamAV and let them make that determination https://www.clamav.net/reports/fp

rk_au · 2023-04-20 05:36:26

loqs wrote:

rk_au wrote:
I'm not sure if it's a false positive or not.
Then report it to ClamAV and let them make that determination https://www.clamav.net/reports/fp

I have submitted the report and changed the title to [SOLVED]. Thank you for your suggestion.

Arch Linux

#1 2023-04-19 02:35:31

[SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

#2 2023-04-19 05:36:53

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

#3 2023-04-19 12:19:32

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

#4 2023-04-19 16:00:10

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

#5 2023-04-19 19:50:39

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

#6 2023-04-20 05:36:26

Re: [SOLVED] clamscan result: Java.Exploit.CVE_2013_1488-2 FOUND in pacman

Board footer