Re: [clamav-users] Pdf.Exploit.CVE_2019_7057-6900620-0 signature causes error on clamav start

Thu, 21 Mar 2019 06:48:43 -0700 

Thanks for the pointer Burnie.

Yes the ignore workaround works fine.
As I investigated further I have found that issue does not seem to be related to perl version however it seems it is related to the pcre version of the system. The pcre on my system (CentOS 5) was very old at version 6.6. After upgrading the pcre library to 8.13 the problem was solved.
But I think that this signature update will probably cause all ClamAV installations to fail on CentOS 5 and maybe other distros as well. This is the first time I have encountered such an error. So maybe if it is possible it would be better to optimise/change the signature to a more failsafe one. 


On 21.03.2019 14:51, Burnie wrote:

On 21. mars 2019 11:19, Alptugay Değirmencioğlu wrote:

Hello,
This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on clamd start both on versions 0.93 and 0.101.1. 

The error is:
LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset 20: unrecognized character after (?< 
LibClamAV Error: cli_pcre_build: failed to build pcre regex
Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed database 

The content of the signature is odd.
Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i 



This is probably only a problem on machines with perl older than v.5.10.
I think it is the notation '(?<l' that causes problems for older perl/pcre. 


perl 5.8.8:
perl -e 'print "OK\n" unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);' Sequence (?<l...) not recognized in regex; marked by <-- HERE in m/(?<l <-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1. 


perl 5.10.1:
perl -e 'print "OK\n" unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);' 
OK


Workaround:

echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2



--
Alptugay Değirmencioğlu
Güvenlik Araştırmaları ve Operasyon Takım Lideri
Security Research & Operations Team Lead

Labris Teknoloji A.Ş.
Galyum Blok, K1-1 ODTÜ TEKNOKENT
Ankara, Türkiye
alptu...@labrisnetworks.com
T : +90 312 210 1490 (pbx)


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to