[Clamav-devel] Yara language version, ClamAV documentation.

[G.W. Haywood]

Hi there,

On Mon, 24 May 2021, G.W. Haywood wrote:

> ...
> I'm not sure if the 'word boundary' atoms (\b, \B) are supported or
> not - I don't even know how to find out, except perhaps at the risk of
> crashing clamd.  I *think* I managed to do that with bad Yara rule. :(
> ...

Now I'm sure.

Micah, would you prefer me to send you a private mail about it, or post
it on Bugzilla?  I'm reluctant to publish it because a crash might be
exploitable, although with this one it would most likely be hard work.

A separate issue, I'm also seeing a problem with the syntax '.{,n}'.

A rule containing the following works fine, it matches my test sample:

8<----------------------------------------------------------------------
   ...
   $unsubscribe = /reply.{0,30}no/ ascii nocase
   ...
condition:
   6 of them
8<----------------------------------------------------------------------

In the same rule, the following doesn't match the same test sample:

   $unsubscribe = /reply.{,30}no/ ascii nocase

The docs are very clear that the syntax is legal.  It took a while to
nail that down...

-- 

73,
Ged.