pouchdb.js being flagged as potential malware

[tsaarni]

Issue

ClamAV currently flags pouchdb.js file as potential malware by alerting about following finding: PUA.Html.Exploit.CVE_2012_0469-1 (PUA = Potentially Unwanted Applications).

It seems that SHA256 of that file have been reported to the ClamAV fingerprint database. While trying to iterate which versions, it seems that a large number of files have been reported: at least PouchDB versions from 6.1.1 to the latest release 7.3.0 are all flagged. We see also some combined and minified files being reported where pouchdb.js is included in (releases of Wildfly Management console (hal-console)).

This seems obvious false positive since CVE-2012-0469 from year 2012 is about a bug in Mozilla Firefox, Thunderbird and Seamonkey. These versions are ancient and have not been in use for many, many years. So even in the unlikely scenario that modern software would contain an exploit, it would not be effective anymore. That vulnerability is explained in detail here (archive.org). The topic does deal with IDB API which really seems to be used by PouchDB.

I would kindly like to ask your analysis on the issue.

There seems to be a website to report false positives https://www.clamav.net/reports/fp. I have not tried to report the problem there yet.

Thank you for your help!

Reproduce

$ clamscan --detect-pua=yes pouchdb.js
Loading:    18s, ETA:   0s [========================>]    8.63M/8.63M sigs       
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks 

/input/pouchdb.js: PUA.Html.Exploit.CVE_2012_0469-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8633702
Engine version: 0.104.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.64 MB
Data read: 0.33 MB (ratio 1.93:1)
Time: 23.622 sec (0 m 23 s)
Start Date: 2022:06:16 11:30:40
End Date:   2022:06:16 11:31:03

[tsaarni]

I continued iterating with the release versions. It is not individual file hashes that trigger the alert but it is this function:

pouchdb/dist/pouchdb.js

Lines 7998 to 8022 in 2e2aa6c

	function continuePseudoCursor() {
	if (!keysBatch.length) { // no more results
	return onBatch();
	}
	// fetch next batch, exclusive start
	var lastKey = keysBatch[keysBatch.length - 1];
	var newKeyRange;
	if (keyRange && keyRange.upper) {
	try {
	newKeyRange = IDBKeyRange.bound(lastKey, keyRange.upper,
	true, keyRange.upperOpen);
	} catch (e) {
	if (e.name === "DataError" && e.code === 0) {
	return onBatch(); // we're done, startkey and endkey are equal
	}
	}
	} else {
	newKeyRange = IDBKeyRange.lowerBound(lastKey, true);
	}
	keyRange = newKeyRange;
	keysBatch = null;
	valuesBatch = null;
	objectStore.getAll(keyRange, batchSize).onsuccess = onGetAll;
	objectStore.getAllKeys(keyRange, batchSize).onsuccess = onGetAllKeys;
	}

If I remove that function from v7.3.0 it is not flagged as exploit anymore.
If I add that function to v6.1.0 it will become flagged.

[tsaarni]

I have submitted report to ClamAV at https://www.clamav.net/reports/fp, linking back to this github issue.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[tsaarni]

This still seems to be an issue today:

$ docker run --rm -it clamav/clamav /bin/ash
/ # wget https://github.com/pouchdb/pouchdb/releases/download/7.3.0/pouchdb-7.3.0.js
Connecting to github.com (140.82.121.3:443)
Connecting to objects.githubusercontent.com (185.199.111.133:443)
saving to 'pouchdb-7.3.0.js'
pouchdb-7.3.0.js     100% |****************************************************************************************************************|  366k  0:00:00 ETA
'pouchdb-7.3.0.js' saved
/ # clamscan --detect-pua=yes pouchdb-7.3.0.js
Loading:    17s, ETA:   0s [========================>]    8.64M/8.64M sigs       
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks 

/pouchdb-7.3.0.js: PUA.Html.Exploit.CVE_2012_0469-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8643702
Engine version: 0.105.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.69 MB
Data read: 0.36 MB (ratio 1.93:1)
Time: 23.281 sec (0 m 23 s)
Start Date: 2022:08:16 05:29:27
End Date:   2022:08:16 05:29:50

I submitted false positive report again to https://www.clamav.net/reports/fp.

[bstansberry]

FYI, the web console used by the WildFly application server uses pouchdb, and @tsaarni was kind enough to point out this issue to us at https://issues.redhat.com/browse/WFLY-16823. I asked some folks in the security team at Red Hat to have a look and they agree this is a false positive. The provided further information on what causes the false positive:

The ClamAV signature that triggers the detection is PUA.Html.Exploit.CVE_2012_0469-1, specifically subsig 7.

• SUBSIG ID 7
  +-> OFFSET: ANY
  +-> SIGMOD: NONE
  +-> DECODED SUBSIGNATURE: idbkeyrange.bound({WILDCARD_ANY_STRING(LENGTH<=25)}.upper

It triggers in pouchdb-7.3.0.js on line 8007: newKeyRange = IDBKeyRange.bound(lastKey, keyRange.upper,

Which matches with the regex used in the signature.

I'm not sure what else we can do but what the reporter has already done by submitting a report of a false positive and possibly suggesting that they require a closing parenthesis in the detection regex.

That line they mention is in the method that tsaarni identified.