Mailing List Archive

ClamAV 0.99 RC 2
Hi all,

I saw the blog post about v0.99 rc 2 and have downloaded it for testing.

It looks like bug 11411 [ https://bugzilla.clamav.net/show_bug.cgi?id=11411 ] is still open, so I decided to download and build PCRE as well.

I initially tried the PCRE2 branch but it wasn't recognised by ClamAV's configure script, so I went with the most up-to-date version of PCRE (which is currently 8.37) but now configure outputs the following:

configure: WARNING: The installed pcre version may contain a security bug. Please upgrade to 8.38 or later: http://www.pcre.org

There is no 8.38 that I can see:
https://sourceforge.net/projects/pcre/files/pcre/

Are you just assuming that 8.38 will be coming soon to fix the bug, or is there a download somewhere that I'm not seeing?

Thanks
Mark

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: ClamAV 0.99 RC 2 [ In reply to ]
Hi Mark,

Unfortunately, as of right now the only way to get pcre 8.38 is via their
rc1 candidate (check the pcre-dev mailing list for a tarball).

In practice, the pcre exploit ClamAV warns about (
http://www.securitytracker.com/id/1032453) relies upon an explicitly
malicious regex, so you don't have to worry too much unless you're using
untrusted sigs. Everything should still compile and run just fine, even
with 8.37.

- Mickey

On Fri, Nov 20, 2015 at 8:08 AM, Mark Allan <markjallan@gmail.com> wrote:

> Hi all,
>
> I saw the blog post about v0.99 rc 2 and have downloaded it for testing.
>
> It looks like bug 11411 [
> https://bugzilla.clamav.net/show_bug.cgi?id=11411 ] is still open, so I
> decided to download and build PCRE as well.
>
> I initially tried the PCRE2 branch but it wasn't recognised by ClamAV's
> configure script, so I went with the most up-to-date version of PCRE (which
> is currently 8.37) but now configure outputs the following:
>
> configure: WARNING: The installed pcre version may contain a security bug.
> Please upgrade to 8.38 or later: http://www.pcre.org
>
> There is no 8.38 that I can see:
> https://sourceforge.net/projects/pcre/files/pcre/
>
> Are you just assuming that 8.38 will be coming soon to fix the bug, or is
> there a download somewhere that I'm not seeing?
>
> Thanks
> Mark
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: ClamAV 0.99 RC 2 [ In reply to ]
Hi Mickey,

Yes, I found details of the exploit after sending my email and assumed it was a very low risk for ClamAV users (presumably limited to the downloading of 3rd party sigs). Thanks for confirming my suspicions.

I've also now found the RC1 on their FTP site but will stick with the stable release.

Cheers
Mark

> On 20 Nov 2015, at 6:01 pm, Mickey Sola <msola@sourcefire.com> wrote:
>
> Hi Mark,
>
> Unfortunately, as of right now the only way to get pcre 8.38 is via their
> rc1 candidate (check the pcre-dev mailing list for a tarball).
>
> In practice, the pcre exploit ClamAV warns about (
> http://www.securitytracker.com/id/1032453) relies upon an explicitly
> malicious regex, so you don't have to worry too much unless you're using
> untrusted sigs. Everything should still compile and run just fine, even
> with 8.37.
>
> - Mickey
>
> On Fri, Nov 20, 2015 at 8:08 AM, Mark Allan <markjallan@gmail.com> wrote:
>
>> Hi all,
>>
>> I saw the blog post about v0.99 rc 2 and have downloaded it for testing.
>>
>> It looks like bug 11411 [
>> https://bugzilla.clamav.net/show_bug.cgi?id=11411 ] is still open, so I
>> decided to download and build PCRE as well.
>>
>> I initially tried the PCRE2 branch but it wasn't recognised by ClamAV's
>> configure script, so I went with the most up-to-date version of PCRE (which
>> is currently 8.37) but now configure outputs the following:
>>
>> configure: WARNING: The installed pcre version may contain a security bug.
>> Please upgrade to 8.38 or later: http://www.pcre.org
>>
>> There is no 8.38 that I can see:
>> https://sourceforge.net/projects/pcre/files/pcre/
>>
>> Are you just assuming that 8.38 will be coming soon to fix the bug, or is
>> there a download somewhere that I'm not seeing?
>>
>> Thanks
>> Mark
>>
>> _______________________________________________
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml