678728 – malware infection reported in app-text/teckit which is a dependency of texlive-core

Bug 678728 - malware infection reported in app-text/teckit which is a dependency of texlive-core

Summary: malware infection reported in app-text/teckit which is a dependency of texliv...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-25 04:47 UTC by John (EBo) David
Modified:	2019-03-04 07:52 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info (emerge.info,8.46 KB, text/plain) 2019-02-25 04:47 UTC, John (EBo) David	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John (EBo) David 2019-02-25 04:47:21 UTC

Created attachment 566396 [details]
emerge --info

During a routine upgrade I also ran a system wide clanscan and it reported that:

    ./distfiles/teckit-2.5.6.tar.gz: Doc.Malware.Sagent-6865733-0 FOUND

I dug around a bit and discovered that it is a dependency of texlive-core when xetex is installed: 

    app-text/texlive-core-2017-r4 (xetex ? >=app-text/teckit-2.5.3)

I have not tried to install previous version of teckit and texlive-core to see if they are likewise infected -- as there are only a single version of each in the main portage tree.  I have therefore removed texlive-xetex and teckit, disabled the xetex use flag, and rebuilt all dependencies to verify that teckit is not included back on the system.

I have not reproduced this or verified that it is not a false positive.  That said I thought it prudent to report ASAP.  

Sorry to drop this on you BUT...

  EBo --

Comment 1 Tomáš Mózes 2019-02-25 08:46:49 UTC

Seems like the files in teckit-2.5.6.tar.gz were last modified 2016-05-30 22:37 and only clamav reports this.

https://www.virustotal.com/#/file/a27bcee822111efe56ee0c9047d6ed5d8cb1b5005c372517c42c4a7552884105/detection

I think it's a false positive.

Comment 2 Tomáš Mózes 2019-03-04 06:54:39 UTC

Now it's clean in all AV: https://www.virustotal.com/#/url/11c3a39e4e29b2126636da303da3cc37aca0109598e0162b78aeba88bfb6e9f9/detection

Fixed on clamav side.

Comment 3 Tomáš Mózes 2019-03-04 06:56:19 UTC

# clamscan /usr/portage/distfiles/teckit-2.5.6.tar.gz
/usr/portage/distfiles/teckit-2.5.6.tar.gz: OK

----------- SCAN SUMMARY -----------
Known viruses: 6826807
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 32.18 MB
Data read: 2.38 MB (ratio 13.51:1)
Time: 31.633 sec (0 m 31 s)

# freshclam 
ClamAV update process started at Mon Mar  4 07:55:54 2019
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd is up to date (version: 25377, sigs: 2267948, f-level: 63, builder: raynman)
bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)

Comment 4 John (EBo) David 2019-03-04 07:52:19 UTC

Confirmed.  Thank you, and sorry for any inconvenience.

===========================================

/usr/portage/distfiles/teckit-2.5.6.tar.gz: OK

----------- SCAN SUMMARY -----------
Known viruses: 6826807
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 32.18 MB
Data read: 2.38 MB (ratio 13.51:1)
Time: 31.156 sec (0 m 31 s)