[Clamav-devel] ClamAV 0.99 RC 2
msola at sourcefire.com
Fri Nov 20 13:01:39 EST 2015
Unfortunately, as of right now the only way to get pcre 8.38 is via their
rc1 candidate (check the pcre-dev mailing list for a tarball).
In practice, the pcre exploit ClamAV warns about (
http://www.securitytracker.com/id/1032453) relies upon an explicitly
malicious regex, so you don't have to worry too much unless you're using
untrusted sigs. Everything should still compile and run just fine, even
On Fri, Nov 20, 2015 at 8:08 AM, Mark Allan <markjallan at gmail.com> wrote:
> Hi all,
> I saw the blog post about v0.99 rc 2 and have downloaded it for testing.
> It looks like bug 11411 [
> https://bugzilla.clamav.net/show_bug.cgi?id=11411 ] is still open, so I
> decided to download and build PCRE as well.
> I initially tried the PCRE2 branch but it wasn't recognised by ClamAV's
> configure script, so I went with the most up-to-date version of PCRE (which
> is currently 8.37) but now configure outputs the following:
> configure: WARNING: The installed pcre version may contain a security bug.
> Please upgrade to 8.38 or later: http://www.pcre.org
> There is no 8.38 that I can see:
> Are you just assuming that 8.38 will be coming soon to fix the bug, or is
> there a download somewhere that I'm not seeing?
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
More information about the clamav-devel