[clamav-users] Pdf.Exploit.CVE_2019_7057-6900620-0 signature causes error on clamav start

Alptugay Değirmencioğlu alptugay at labrisnetworks.com
Thu Mar 21 09:47:51 EDT 2019


Thanks for the pointer Burnie.

Yes the ignore workaround works fine.

As I investigated further I have found that issue does not seem to be 
related to perl version however it seems it is related to the pcre 
version of the system. The pcre on my system (CentOS 5) was very old at 
version 6.6. After upgrading the pcre library to 8.13 the problem was 
solved.

But I think that this signature update will probably cause all ClamAV 
installations to fail on CentOS 5 and maybe other distros as well. This 
is the first time I have encountered such an error. So maybe if it is 
possible it would be better to optimise/change the signature to a more 
failsafe one.


On 21.03.2019 14:51, Burnie wrote:
> On 21. mars 2019 11:19, Alptugay Değirmencioğlu wrote:
>> Hello,
>>
>> This signature*Pdf.Exploit.CVE_2019_7057-6900620-0 *causes error on 
>> clamd start both on versions 0.93 and 0.101.1.
>>
>> The error is:
>>
>> LibClamAV Error: cli_pcre_compile: PCRE compilation failed at offset 
>> 20: unrecognized character after (?<
>> LibClamAV Error: cli_pcre_build: failed to build pcre regex
>> Thu Mar 21 13:11:33 2019 -> !Database initialization error: Malformed 
>> database
>>
>> The content of the signature is odd.
>>
>> Pdf.Exploit.CVE_2019_7057-6900620-0;Engine:81-255,Target:10;1;7361766546696C7465726564584D4C;0/resolveNode[^>]*?(?<load>loadXML\([^>]*?save(XML|FilteredXML))[^>]*?(?P=load)[^>]*?(?P=load)/i 
>
>
>
> This is probably only a problem on machines with perl older than v.5.10.
>
> I think it is the notation '(?<l' that causes problems for older 
> perl/pcre.
>
>
> perl 5.8.8:
>
> perl -e 'print "OK\n" 
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> Sequence (?<l...) not recognized in regex; marked by <-- HERE in 
> m/(?<l <-- HERE oad>loadXML\([^>]*?save(XML|FilteredXML))/ at -e line 1.
>
>
> perl 5.10.1:
>
> perl -e 'print "OK\n" 
> unless(/(?<load>loadXML\([^>]*?save(XML|FilteredXML))/);'
> OK
>
>
> Workaround:
>
> echo "Pdf.Exploit.CVE_2019_7057-6900620-0" > /var/lib/clamav/pcre.ign2
>
>
-- 
Alptugay Değirmencioğlu
Güvenlik Araştırmaları ve Operasyon Takım Lideri
Security Research & Operations Team Lead

Labris Teknoloji A.Ş.
Galyum Blok, K1-1 ODTÜ TEKNOKENT
Ankara, Türkiye
alptugay at labrisnetworks.com
T : +90 312 210 1490 (pbx)



More information about the clamav-users mailing list