[clamav-users] Pdf.Exploit.CVE_2019_7057-6900620-0 signature causes error on clamav start

Burnie burnie at dod.no
Thu Mar 21 07:51:56 EDT 2019


On 21. mars 2019 11:19, Alptugay Değirmencioğlu wrote:
> Hello,
> 
> This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on 
> clamd start both on versions 0.93 and 0.101.1.
> 
> The error is:
> 
> LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset 20: 
> unrecognized character after (?<
> LibClamAV Error: cli_pcre_build: failed to build pcre regex
> Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed 
> database
> 
> The content of the signature is odd.
> 
> Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i 


This is probably only a problem on machines with perl older than v.5.10.

I think it is the notation '(?<l' that causes problems for older perl/pcre.


perl 5.8.8:

perl -e 'print "OK\n" 
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
Sequence (?<l...) not recognized in regex; marked by <-- HERE in m/(?<l 
<-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.


perl 5.10.1:

perl -e 'print "OK\n" 
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
OK


Workaround:

echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2


-- 
Bernt  'Burnie'  Pettersen  ///  DoD#2345
<E-mail:burnie at dod.no>     ///  <URL:http://burnie.sh/>
        - Creative brains need creative workhours! -


More information about the clamav-users mailing list