[clamav-users] Pdf.Exploit.CVE_2019_7057-6900620-0 signature causes error on clamav start
Burnie
burnie at dod.no
Thu Mar 21 11:51:56 UTC 2019
On 21. mars 2019 11:19, Alptugay Değirmencioğlu wrote:
> Hello,
>
> This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on
> clamd start both on versions 0.93 and 0.101.1.
>
> The error is:
>
> LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset 20:
> unrecognized character after (?<
> LibClamAV Error: cli_pcre_build: failed to build pcre regex
> Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed
> database
>
> The content of the signature is odd.
>
> Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i
This is probably only a problem on machines with perl older than v.5.10.
I think it is the notation '(?<l' that causes problems for older perl/pcre.
perl 5.8.8:
perl -e 'print "OK\n"
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
Sequence (?<l...) not recognized in regex; marked by <-- HERE in m/(?<l
<-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.
perl 5.10.1:
perl -e 'print "OK\n"
unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
OK
Workaround:
echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2
--
Bernt 'Burnie' Pettersen /// DoD#2345
<E-mail:burnie at dod.no> /// <URL:http://burnie.sh/>
- Creative brains need creative workhours! -
More information about the clamav-users
mailing list