[clamav-users] Pdf.Exploit.CVE_2019_7057-6900620-0 signature causes error on clamav start

Gianluigi Tiesi sherpya at netfarm.it
Thu Mar 21 09:44:25 EDT 2019


On 3/21/19 12:51 PM, Burnie wrote:
> On 21. mars 2019 11:19, Alptugay Değirmencioğlu wrote:
>> Hello,
>>
>> This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on 
>> clamd start both on versions 0.93 and 0.101.1.
>>
>> The error is:
>>
>> LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset 
>> 20: unrecognized character after (?<
>> LibClamAV Error: cli_pcre_build: failed to build pcre regex
>> Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed 
>> database
>>
>> The content of the signature is odd.
>>
>> Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i 
> 
> 
> 
> This is probably only a problem on machines with perl older than v.5.10.
> 
> I think it is the notation '(?<l' that causes problems for older perl/pcre.
> 
> 
> perl 5.8.8:
> 
> perl -e 'print "OK\n" 
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> Sequence (?<l...) not recognized in regex; marked by <-- HERE in m/(?<l 
> <-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.
> 
> 
> perl 5.10.1:
> 
> perl -e 'print "OK\n" 
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> OK
> 
> 
> Workaround:
> 
> echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2
> 
> 

It's not perl but libpcre, with 6.6.6 (centos 5.9) it fails, debian 
(even non recent) have 8.30+

Regards

-- 
Gianluigi Tiesi <sherpya at netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?


More information about the clamav-users mailing list