ClamAV reporting calibre as being infected with CVE 2017 0141

Bug #1673284 reported by dr who on 2017-03-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre
Undecided
Unassigned

Bug Description

Downloaded calibre from calibre download page (https://calibre-ebook.com/download_osx). Once calibre is copied to Applications (macos) clamav scans it and reports an infection:

Scanning selected files…

/Applications/calibre.app/Contents/Resources/resources/rapydscript/compiler.js.xz: Html.Exploit.CVE_2017_0141-6003839-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6847967
Engine version: 0.99.2
Scanned directories: 453
Scanned files: 3662
Infected files: 1
Data scanned: 281.73 MB
Data read: 183.86 MB (ratio 1.53:1)
Time: 54.957 sec (0 m 54 s)

False positive or genuine issue?

CVE References

Looks like a reserved ID, though, nothing to see here...
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0141

Anyway, that file is the bundled rapydscript-to-javascript transpiler
used to build the experimental new server. In the unlikely event that
there is an *actual* vulnerability there (and note that calibre is
open-source and certainly does not deliberately ship vulnerabilities) it
will never be accessed regardless -- unless you use calibre's python
interpreter to rebuild the presumably-modified *.pyj files from the
source code checkout described in the manual under "Setting up a calibre
development environment".

Kovid Goyal (kovid) wrote :

Since the CVE has no information in it, it is impossible for anyone to say if it is genuine or not. Though typically, when a CVE is reserved, it means the entity that reserved it is practicing responsible disclosure -- which means contacting the project maintainers for the project that has the vulnerability. Since I am the project maintainer for rapydscript and I have not been contacted about any security issues in it, I find it unlikely. Most probably, clamav is using some heuristic to detect whatever the issue is in that CVE and that heuristic is falsely matching the code in the rapydscript compiler, which, is in anycase not used during normal calibre operations as Eli points out (all rapydscript files are pre-compiled in calibre binaries).

If and when that CVE is actually disclosed feel free to update this ticket and I will take another look. But I would be very surprised if it were an actual bug in rapydscript.

Changed in calibre:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers