Hi there,
On Mon, 24 May 2021, G.W. Haywood wrote:
...
I'm not sure if the 'word boundary' atoms (\b, \B) are supported or
not - I don't even know how to find out, except perhaps at the risk of
crashing clamd. I *think* I managed to do that with bad Yara rule. :(
...
Now I'm sure.
Micah, would you prefer me to send you a private mail about it, or post
it on Bugzilla? I'm reluctant to publish it because a crash might be
exploitable, although with this one it would most likely be hard work.
A separate issue, I'm also seeing a problem with the syntax '.{,n}'.
A rule containing the following works fine, it matches my test sample:
8<----------------------------------------------------------------------
...
$unsubscribe = /reply.{0,30}no/ ascii nocase
...
condition:
6 of them
8<----------------------------------------------------------------------
In the same rule, the following doesn't match the same test sample:
$unsubscribe = /reply.{,30}no/ ascii nocase
The docs are very clear that the syntax is legal. It took a while to
nail that down...
--
73,
Ged.
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
