[Clamav-devel] ClamAV 0.99 RC 2
markjallan at gmail.com
Sat Nov 21 05:49:30 EST 2015
Yes, I found details of the exploit after sending my email and assumed it was a very low risk for ClamAV users (presumably limited to the downloading of 3rd party sigs). Thanks for confirming my suspicions.
I've also now found the RC1 on their FTP site but will stick with the stable release.
> On 20 Nov 2015, at 6:01 pm, Mickey Sola <msola at sourcefire.com> wrote:
> Hi Mark,
> Unfortunately, as of right now the only way to get pcre 8.38 is via their
> rc1 candidate (check the pcre-dev mailing list for a tarball).
> In practice, the pcre exploit ClamAV warns about (
> http://www.securitytracker.com/id/1032453) relies upon an explicitly
> malicious regex, so you don't have to worry too much unless you're using
> untrusted sigs. Everything should still compile and run just fine, even
> with 8.37.
> - Mickey
> On Fri, Nov 20, 2015 at 8:08 AM, Mark Allan <markjallan at gmail.com> wrote:
>> Hi all,
>> I saw the blog post about v0.99 rc 2 and have downloaded it for testing.
>> It looks like bug 11411 [
>> https://bugzilla.clamav.net/show_bug.cgi?id=11411 ] is still open, so I
>> decided to download and build PCRE as well.
>> I initially tried the PCRE2 branch but it wasn't recognised by ClamAV's
>> configure script, so I went with the most up-to-date version of PCRE (which
>> is currently 8.37) but now configure outputs the following:
>> configure: WARNING: The installed pcre version may contain a security bug.
>> Please upgrade to 8.38 or later: http://www.pcre.org
>> There is no 8.38 that I can see:
>> Are you just assuming that 8.38 will be coming soon to fix the bug, or is
>> there a download somewhere that I'm not seeing?
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
More information about the clamav-devel