Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#67474 - [wine] [security] detected as malware by several VirusTotal scanners

Attached to Project: Community Packages
Opened by Ruben (rub3n) - Monday, 03 August 2020, 16:26 GMT
Last edited by freswa (frederik) - Monday, 03 August 2020, 16:44 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
When installing wine-5.14-2 the files
/usr/lib32/wine/msidb.exe
/usr/lib32/wine/netstat.exe
/usr/lib32/wine/whoami.exe

were detected as Threats by Sophos. Several scanners from VirusTotal also claim that those files are malware:

msidb.exe : https://www.virustotal.com/gui/file/baa755b0f25e84842e1b0840bd2ceee18109f776d8ae3c3a5aeb5571a76c8e9b/detection

netstat.exe : https://www.virustotal.com/gui/file-analysis/N2YyOWIzZDc2MWY4MDUzMTMzOGIzNzhmMThjZWMyZTQ6MTU5NjQ3MTEyOA==/summary

whoami.exe :https://www.virustotal.com/gui/file/b7ca25680040a51c22101d1d0b72b064717099d61b3af889b7520552ad43e366/detection

Additional info:
* Version: wine-5.14-2

* SHA256-sums:
msidb.exe: baa755b0f25e84842e1b0840bd2ceee18109f776d8ae3c3a5aeb5571a76c8e9b

netstat.exe: b1be394bcc993a53d8623d2bc57ea6eb136e7849759e91846270dd8998e4d4e6

whoami.exe:
b7ca25680040a51c22101d1d0b72b064717099d61b3af889b7520552ad43e366
This task depends upon

Comment by Jelle van der Waa (jelly) - Monday, 03 August 2020, 18:06 GMT
Does wine upstream know about this issue? As it's not something we can really do about, if these tools flag it by accident. Is there a way to report it as false positive?
Comment by Maciej Stanczew (stanczew) - Monday, 03 August 2020, 20:03 GMT
This started appearing probably as a result of enabling Wine builds in PE format ( FS#67317 ).
Official WineHQ binary releases are also built as PE, so we can check those files directly from upstream, e.g. for Ubuntu:
https://dl.winehq.org/wine-builds/ubuntu/dists/focal/main/binary-i386/
https://www.virustotal.com/gui/file/95beb905262b620bbe57c13440c7a47886dbe5f6d1677477dfbb45aed7b26225/detection
https://www.virustotal.com/gui/file/31b88d5f85b15b28daf7c731e33a32ac377c957f033c15bcd2030d35f37c58ac/detection
https://www.virustotal.com/gui/file/916393058c3da9a8d86b5e8b42cd3bd180e9bffa3a87f0b3f20a542b0655628f/detection

Or for Fedora:
https://dl.winehq.org/wine-builds/fedora/32/i686/
https://www.virustotal.com/gui/file/150d3c6aea0fb0d14828d9dd3dce1405b928e8a3cbd61abfb3d0fcc1a613eb45/detection
https://www.virustotal.com/gui/file/dac8c84c8b03086976d3c67e5eadee940a68770c1883c3c306d2c998631f286e/detection
https://www.virustotal.com/gui/file/7b46a274c56b30d4da025e11db66c3a4c72504f0da3d05db314eb2da24d7243f/detection

There are less hits in total, but they are still present, and there are differences between distributions. (Maybe compilation flags have a say here?)

Anyhow, those look like generic, heuristic hits, which should be false positive. There are some bugs and threads with similar issues:
https://bugs.winehq.org/show_bug.cgi?id=34092
https://bugs.winehq.org/show_bug.cgi?id=44057
https://bugs.winehq.org/show_bug.cgi?id=45852
https://bugs.winehq.org/show_bug.cgi?id=48418
https://bugs.winehq.org/show_bug.cgi?id=48681
https://forum.winehq.org/viewtopic.php?t=33190
https://forum.winehq.org/viewtopic.php?t=33444
https://forum.winehq.org/viewtopic.php?t=33597
https://forum.winehq.org/viewtopic.php?t=33993
Comment by Marcin Andrzejewski (mpan) - Tuesday, 04 August 2020, 17:20 GMT
I did a rebuild from the source signed by DA23579A74D4AD9AF9D3F945CEFAC8EAAF17519D and while the package is not reproducible and the file differs, my “msidb.exe” receives 12/60. Supports the claim it’s a false positive.

Loading...