On 3/21/19 12:51 PM, Burnie wrote:
On 21. mars 2019 11:19, Alptugay Değirmencioğlu wrote:
Hello,
This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on
clamd start both on versions 0.93 and 0.101.1.
The error is:
LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset
20: unrecognized character after (?<
LibClamAV Error: cli_pcre_build: failed to build pcre regex
Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed
database
The content of the signature is odd.
Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i
This is probably only a problem on machines with perl older than v.5.10.
I think it is the notation '(?<l' that causes problems for older perl/pcre.
perl 5.8.8:
perl -e 'print "OK\n"
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
Sequence (?<l...) not recognized in regex; marked by <-- HERE in m/(?<l
<-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.
perl 5.10.1:
perl -e 'print "OK\n"
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
OK
Workaround:
echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2
It's not perl but libpcre, with 6.6.6 (centos 5.9) it fails, debian
(even non recent) have 8.30+
Regards
--
Gianluigi Tiesi <sher...@netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/
Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
