Hi folks,
when checking my .cargo folder with clamscan, it found some suspicious files in crates that are dependencies of other packages (flate2-1.0.28.crate, image-0.24.8.crate, gif-0.12.0.crate).
Here' the scan output:
Scanning .../.cargo please wait...
.../.cargo/registry/cache/index.crates.io-6f17d22bba15001f/flate2-1.0.28.crate: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
LibClamAV Warning: JPEG: Segment data out of file
.../.cargo/registry/cache/index.crates.io-6f17d22bba15001f/image-0.24.8.crate: Heuristics.Broken.Media.JPEG.SegmentDataOutOfFile FOUND
LibClamAV Error: GIF: EOF in the middle of an image data sub-block, file truncated?
.../.cargo/registry/cache/index.crates.io-6f17d22bba15001f/gif-0.12.0.crate: Heuristics.Broken.Media.GIF.TruncatedImageDataBlock FOUND
.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/flate2-1.0.28/tests/multi.gz: PUA.Win.Exploit.CVE_2012_1461-1 FOUND
LibClamAV Warning: JPEG: Segment data out of file
.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/image-0.24.8/tests/regression/jpg/oss-fuzz-36829.jpeg: Heuristics.Broken.Media.JPEG.SegmentDataOutOfFile FOUND
LibClamAV Error: GIF: EOF in the middle of an image data sub-block, file truncated?
.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/gif-0.12.0/tests/stall/issue-101-infinite-empty-loop.gif: Heuristics.Broken.Media.GIF.TruncatedImageDataBlock FOUND
I never install packages from other repos than crates.io or github. I wasn't successful when trying to get informations about possible issues with those crates, and I'm not sure whether these error messages are false positives.
Does anyone of you have a proposal how to handle this situation? I am relatively new to Rust and Cargo and therefore my question: what is the best way to uninstall and reinstall those crates without causing any inconsistancies.
Cases of false positives results returned by antivirus software are way, way too common. I would suggest you to not rely on them for determining if a piece of open source software is vulnerable, you would be better off by consulting specialized reports such as CVEs.
Those *.crate files from ~/.cargo/registry/cache/ are actually .tar.gz files which get unpacked in ~/.cargo/registry/src/, thus the 6 finds are actually just 3: the first 3 are found within the .crate archives, the next 3 are found in the unpacked dirs of those crates.
This is the only important one at first glance flate2-1.0.28/tests/multi.gz: PUA.Win.Exploit.CVE_2012_1461-1 FOUND but if we look within the .crate file itself, we see it's a 53 bytes .gz file which unpacks to the same contents as file multi.txt thus it's harmless as it contains just these 2 lines:
first
second
but also 53 bytes can't do much. So it's a clear case of false positive.
The other two are apparently broken on purpose for tests(cargo test), but I haven't looked into them also because the detection seems to be heuristic and it's about images (although here you could argue that it could still be xz-utils hack all over again, hiding in plain sight, I doubt it is so in this particular case): image-0.24.8/tests/regression/jpg/oss-fuzz-36829.jpeg: Heuristics.Broken.Media.JPEG.SegmentDataOutOfFile FOUND
(this is 658 bytes jpeg file)
gif-0.12.0/tests/stall/issue-101-infinite-empty-loop.gif: Heuristics.Broken.Media.GIF.TruncatedImageDataBlock FOUND
(this is 40 bytes gif file)
Here's an attempt from chatgpt 3.5 to explain heuristics(feel free to skip):
Explaining the limitations of antivirus heuristic detection and its susceptibility to false positives can be approached with clarity and detail. Here's a breakdown of how you might explain this to someone:
Understanding Antivirus Heuristic Detection:
Start by explaining what antivirus heuristic detection is. It's a proactive method used by antivirus programs to detect previously unknown malware based on its behavior or characteristics rather than relying solely on known signatures.
Proactive Approach:
Highlight the proactive nature of heuristic detection. Unlike traditional signature-based detection that relies on a catalog of known malware signatures, heuristic detection attempts to identify new and emerging threats by analyzing their behavior patterns.
Potential for False Positives:
Emphasize that because heuristic detection is based on identifying suspicious behavior, it can sometimes result in false positives. False positives occur when legitimate software or files are incorrectly identified as malware due to similarities in behavior or characteristics.
Examples of False Positives:
Provide examples of situations where false positives have occurred. For instance, a legitimate application might trigger heuristic detection if it performs actions that resemble malicious behavior, such as modifying system files or accessing sensitive areas of the operating system.
Impact of False Positives:
Explain the potential consequences of false positives, such as:
Disruption of legitimate software usage
Loss of user trust in the antivirus software
Waste of time and resources in investigating and resolving false alarms
Balancing Security and Usability:
Acknowledge that while heuristic detection is an important tool for detecting new threats, it must be balanced with usability. Overly aggressive heuristic detection that generates frequent false positives can frustrate users and undermine the effectiveness of the antivirus software.
Mitigation Strategies:
Discuss strategies for mitigating the risk of false positives, such as:
Fine-tuning heuristic detection settings to reduce sensitivity
Regularly updating antivirus software to incorporate new detection algorithms and improve accuracy
Providing users with the ability to review and whitelist flagged files or applications
Continuous Improvement:
Stress the importance of ongoing development and refinement of heuristic detection algorithms to minimize false positives while maintaining effective malware detection capabilities.
By providing a comprehensive explanation, you can help someone understand the nuances of antivirus heuristic detection and why it's not always infallible, despite its importance in modern cybersecurity.
That was my feeling as well, but I don't rely on my feelings; I tend to panic! in those cases due to my distrustful psyche. I could be the creator of the panic macro...
It is xz paranoia. I just scanned my downloaded source dir for jpg files and found some strange ones ( but not very suspicious, I think they were just overlooked by the publisher ).
"Steganography is the practice of concealing a message, image, or file within another message, image, or file. It involves hiding information in plain sight, often within digital media such as images, audio files, or even text, without the observer realizing that there is hidden data present. Steganography techniques aim to ensure that the existence of the concealed information remains undetected by anyone not explicitly aware of its presence. " - chatgpt 3.5
