Mailing List Archive

On 21. mars 2019 11:19, Alptugay De?irmencio?lu wrote:
> Hello,
>
> This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on
> clamd start both on versions 0.93 and 0.101.1.
>
> The error is:
>
> LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset 20:
> unrecognized character after (?<
> LibClamAV Error: cli_pcre_build: failed to build pcre regex
> Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed
> database
>
> The content of the signature is odd.
>
> Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i


This is probably only a problem on machines with perl older than v.5.10.

I think it is the notation '(?<l' that causes problems for older perl/pcre.


perl 5.8.8:

perl -e 'print "OK\n"
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
Sequence (?<l...) not recognized in regex; marked by <-- HERE in m/(?<l
<-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.


perl 5.10.1:

perl -e 'print "OK\n"
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
OK


Workaround:

echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2


--
Bernt 'Burnie' Pettersen /// DoD#2345
<E-mail:burnie@dod.no> /// <URL:http://burnie.sh/>
- Creative brains need creative workhours! -

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 3/21/19 12:51 PM, Burnie wrote:
> On 21. mars 2019 11:19, Alptugay De?irmencio?lu wrote:
>> Hello,
>>
>> This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on
>> clamd start both on versions 0.93 and 0.101.1.
>>
>> The error is:
>>
>> LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset
>> 20: unrecognized character after (?<
>> LibClamAV Error: cli_pcre_build: failed to build pcre regex
>> Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed
>> database
>>
>> The content of the signature is odd.
>>
>> Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i
>
>
>
> This is probably only a problem on machines with perl older than v.5.10.
>
> I think it is the notation '(?<l' that causes problems for older perl/pcre.
>
>
> perl 5.8.8:
>
> perl -e 'print "OK\n"
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> Sequence (?<l...) not recognized in regex; marked by <-- HERE in m/(?<l
> <-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.
>
>
> perl 5.10.1:
>
> perl -e 'print "OK\n"
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> OK
>
>
> Workaround:
>
> echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2
>
>

It's not perl but libpcre, with 6.6.6 (centos 5.9) it fails, debian
(even non recent) have 8.30+

Regards

--
Gianluigi Tiesi <sherpya@netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks for the pointer Burnie.

Yes the ignore workaround works fine.

As I investigated further I have found that issue does not seem to be
related to perl version however it seems it is related to the pcre
version of the system. The pcre on my system (CentOS 5) was very old at
version 6.6. After upgrading the pcre library to 8.13 the problem was
solved.

But I think that this signature update will probably cause all ClamAV
installations to fail on CentOS 5 and maybe other distros as well. This
is the first time I have encountered such an error. So maybe if it is
possible it would be better to optimise/change the signature to a more
failsafe one.


On 21.03.2019 14:51, Burnie wrote:
> On 21. mars 2019 11:19, Alptugay De?irmencio?lu wrote:
>> Hello,
>>
>> This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on
>> clamd start both on versions 0.93 and 0.101.1.
>>
>> The error is:
>>
>> LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset
>> 20: unrecognized character after (?<
>> LibClamAV Error: cli_pcre_build: failed to build pcre regex
>> Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed
>> database
>>
>> The content of the signature is odd.
>>
>> Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i
>
>
>
> This is probably only a problem on machines with perl older than v.5.10.
>
> I think it is the notation '(?<l' that causes problems for older
> perl/pcre.
>
>
> perl 5.8.8:
>
> perl -e 'print "OK\n"
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> Sequence (?<l...) not recognized in regex; marked by <-- HERE in
> m/(?<l <-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.
>
>
> perl 5.10.1:
>
> perl -e 'print "OK\n"
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> OK
>
>
> Workaround:
>
> echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2
>
>
--
Alptugay De?irmencio?lu
Güvenlik Ara?t?rmalar? ve Operasyon Tak?m Lideri
Security Research & Operations Team Lead

Labris Teknoloji A.?.
Galyum Blok, K1-1 ODTÜ TEKNOKENT
Ankara, Türkiye
alptugay@labrisnetworks.com
T : +90 312 210 1490 (pbx)


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> But I think that this signature update will probably cause all ClamAV
> installations to fail on CentOS 5 and maybe other distros as well. This
> is the first time I have encountered such an error. So maybe if it is
> possible it would be better to optimise/change the signature to a more
> failsafe one.

CentOS 5 went EOL in March 2017, that's TWO years ago...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 21. mars 2019 14:47, Alptugay De?irmencio?lu wrote:
> Thanks for the pointer Burnie.
>
> Yes the ignore workaround works fine.
>
> As I investigated further I have found that issue does not seem to be
> related to perl version however it seems it is related to the pcre
> version of the system. The pcre on my system (CentOS 5) was very old at
> version 6.6. After upgrading the pcre library to 8.13 the problem was
> solved.
>
> But I think that this signature update will probably cause all ClamAV
> installations to fail on CentOS 5 and maybe other distros as well. This
> is the first time I have encountered such an error. So maybe if it is
> possible it would be better to optimise/change the signature to a more
> failsafe one.


potAto, poTato...
I *did* write perl/pcre, didn't I? :-)

Oh well. At least I got you on the right track.

(Seem to remember a similar regexp notation which broke SA on EL5 a few
years ago)


BTW: Thanks for the pointer to the signature. Got lost in finding out
which it was.


--
Bernt 'Burnie' Pettersen /// DoD#2345
<E-mail:burnie@dod.no> /// <URL:http://burnie.sh/>
- Creative brains need creative workhours! -

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> potAto, poTato...
> I *did* write perl/pcre, didn't I? :-)
>
> Oh well. At least I got you on the right track.
>
> (Seem to remember a similar regexp notation which broke SA on EL5 a few
>  years ago)
>
>
> BTW: Thanks for the pointer to the signature. Got lost in finding out
> which it was.
>
>
Hello,

Yes the last time this happened was 30 days before Centos5 went EOL. 
:)  I recall posting in that thread.

Cheers all,

Chris

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml