Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yara for openSUSE:Factory checked in at 2021-06-06 22:40:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yara (Old) and /work/SRC/openSUSE:Factory/.yara.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yara" Sun Jun 6 22:40:50 2021 rev:12 rq:897776 version:4.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/yara/yara.changes 2021-05-15 01:24:08.391035057 +0200 +++ /work/SRC/openSUSE:Factory/.yara.new.1898/yara.changes 2021-06-06 22:40:52.903422181 +0200 @@ -1,0 +2,8 @@ +Sat May 29 11:29:10 UTC 2021 - Ferdinand Thiessen <[email protected]> + +- Update to version 4.1.1 + * BUGFIX: Accept the "+" character as valid in DLL names + * BUGFIX: Buffer overrun in "macho" module. + * BUGFIX: Crash due to consecutive jumps in hex strings + +------------------------------------------------------------------- Old: ---- yara-4.1.0.tar.gz New: ---- yara-4.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yara.spec ++++++ --- /var/tmp/diff_new_pack.q0zj3Y/_old 2021-06-06 22:40:53.343423043 +0200 +++ /var/tmp/diff_new_pack.q0zj3Y/_new 2021-06-06 22:40:53.343423043 +0200 @@ -18,7 +18,7 @@ %define soname 8 Name: yara -Version: 4.1.0 +Version: 4.1.1 Release: 0 Summary: A malware identification and classification tool License: Apache-2.0 ++++++ yara-4.1.0.tar.gz -> yara-4.1.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.1.0/appveyor.yml new/yara-4.1.1/appveyor.yml --- old/yara-4.1.0/appveyor.yml 2021-04-19 15:05:24.000000000 +0200 +++ new/yara-4.1.1/appveyor.yml 2021-05-24 11:20:19.000000000 +0200 @@ -65,7 +65,7 @@ verbosity: minimal after_build: - - cmd: 7z a yara-%APPVEYOR_BUILD_VERSION%-%ARTIFACT_POSTFIX%.zip %APPVEYOR_BUILD_FOLDER%\windows\%TARGET%\%CONFIGURATION%\*.exe + - cmd: 7z a yara-%APPVEYOR_BUILD_VERSION%-%ARTIFACT_POSTFIX%.zip %APPVEYOR_BUILD_FOLDER%\windows\%TARGET%\%CONFIGURATION%\yara*.exe artifacts: - path: yara-$(APPVEYOR_BUILD_VERSION)-$(ARTIFACT_POSTFIX).zip diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.1.0/docs/writingrules.rst new/yara-4.1.1/docs/writingrules.rst --- old/yara-4.1.0/docs/writingrules.rst 2021-04-19 15:05:24.000000000 +0200 +++ new/yara-4.1.1/docs/writingrules.rst 2021-05-24 11:20:19.000000000 +0200 @@ -33,51 +33,46 @@ - base64 - base64wide - condition - - contains - * - endswith + * - contains + - endswith - entrypoint - false - filesize - for - fullword - global - - import + * - import - icontains - * - iendswith + - iendswith - in - include - int16 - int16be - int32 - - int32be + * - int32be - int8 - int8be - * - istartswith + - istartswith - matches - meta - nocase - not - - of + * - of - or - private - rule - * - startswith + - startswith - strings - them - true - - uint16 + * - uint16 - uint16be - uint32 - uint32be - * - uint8 + - uint8 - uint8be - wide - xor - - - - - - - - - - Rules are generally composed of two sections: strings definition and condition. The strings definition section can be omitted if the rule doesn't rely on any @@ -463,7 +458,7 @@ The ``base64`` modifier can be used to search for strings that have been base64 encoded. A good explanation of the technique is at: -https://www.leeholmes.com/blog/2019/12/10/searching-for-content-in-base-64-strings-2/ +https://www.leeholmes.com/searching-for-content-in-base-64-strings/ The following rule will search for the three base64 permutations of the string "This program cannot": diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.1.0/libyara/filemap.c new/yara-4.1.1/libyara/filemap.c --- old/yara-4.1.0/libyara/filemap.c 2021-04-19 15:05:24.000000000 +0200 +++ new/yara-4.1.1/libyara/filemap.c 2021-05-24 11:20:19.000000000 +0200 @@ -80,7 +80,7 @@ YR_API int yr_filemap_map_fd( YR_FILE_DESCRIPTOR file, - off_t offset, + uint64_t offset, size_t size, YR_MAPPED_FILE* pmapped_file) { @@ -110,7 +110,7 @@ return ERROR_COULD_NOT_OPEN_FILE; } - if (offset > (off_t) file_size) + if (offset > (uint64_t) file_size) return ERROR_COULD_NOT_MAP_FILE; if (size == 0) @@ -179,7 +179,7 @@ YR_API int yr_filemap_map_fd( YR_FILE_DESCRIPTOR file, - off_t offset, + uint64_t offset, size_t size, YR_MAPPED_FILE* pmapped_file) { @@ -257,7 +257,7 @@ YR_API int yr_filemap_map_ex( const char* file_path, - off_t offset, + uint64_t offset, size_t size, YR_MAPPED_FILE* pmapped_file) { @@ -291,7 +291,7 @@ YR_API int yr_filemap_map_ex( const char* file_path, - off_t offset, + uint64_t offset, size_t size, YR_MAPPED_FILE* pmapped_file) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.1.0/libyara/include/yara/filemap.h new/yara-4.1.1/libyara/include/yara/filemap.h --- old/yara-4.1.0/libyara/include/yara/filemap.h 2021-04-19 15:05:24.000000000 +0200 +++ new/yara-4.1.1/libyara/include/yara/filemap.h 2021-05-24 11:20:19.000000000 +0200 @@ -61,14 +61,14 @@ YR_API int yr_filemap_map_fd( YR_FILE_DESCRIPTOR file, - off_t offset, + uint64_t offset, size_t size, YR_MAPPED_FILE* pmapped_file); YR_API int yr_filemap_map_ex( const char* file_path, - off_t offset, + uint64_t offset, size_t size, YR_MAPPED_FILE* pmapped_file); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.1.0/libyara/modules/macho/macho.c new/yara-4.1.1/libyara/modules/macho/macho.c --- old/yara-4.1.0/libyara/modules/macho/macho.c 2021-04-19 15:05:24.000000000 +0200 +++ new/yara-4.1.1/libyara/modules/macho/macho.c 2021-05-24 11:20:19.000000000 +0200 @@ -209,23 +209,34 @@ // Get entry point address from LC_UNIXTHREAD load command. void macho_handle_unixthread( - const uint8_t* command, + const uint8_t* data, + size_t size, YR_OBJECT* object, YR_SCAN_CONTEXT* context) { int should_swap = should_swap_bytes(get_integer(object, "magic")); bool is64 = false; - uint32_t command_size = ((yr_thread_command_t*) command)->cmdsize; + if (size < sizeof(yr_thread_command_t)) + return; + + // command_size is the size indicated in yr_thread_command_t structure, but + // limited to the data's size because we can't rely on the structure having a + // valid size. + uint32_t command_size = yr_min(size, ((yr_thread_command_t*) data)->cmdsize); + + // command_size should be at least the size of yr_thread_command_t. + if (command_size < sizeof(yr_thread_command_t)) + return; - // cmd_size includes the size of yr_thread_command_t and the thread + // command_size includes the size of yr_thread_command_t and the thread // state structure that follows, let's compute the size of the thread state // structure. size_t thread_state_size = command_size - sizeof(yr_thread_command_t); // The structure that contains the thread state starts where // yr_thread_command_t ends. - const void* thread_state = command + sizeof(yr_thread_command_t); + const void* thread_state = data + sizeof(yr_thread_command_t); uint64_t address = 0; @@ -318,13 +329,17 @@ // Get entry point offset and stack-size from LC_MAIN load command. void macho_handle_main( - void* command, + void* data, + size_t size, YR_OBJECT* object, YR_SCAN_CONTEXT* context) { yr_entry_point_command_t ep_command; - memcpy(&ep_command, command, sizeof(yr_entry_point_command_t)); + if (size < sizeof(yr_entry_point_command_t)) + return; + + memcpy(&ep_command, data, sizeof(yr_entry_point_command_t)); if (should_swap_bytes(get_integer(object, "magic"))) swap_entry_point_command(&ep_command); @@ -347,15 +362,19 @@ // Load segment and its sections. void macho_handle_segment( - const uint8_t* command, + const uint8_t* data, + size_t size, const unsigned i, YR_OBJECT* object) { - int should_swap = should_swap_bytes(get_integer(object, "magic")); + if (size < sizeof(yr_segment_command_32_t)) + return; yr_segment_command_32_t sg; - memcpy(&sg, command, sizeof(yr_segment_command_32_t)); + memcpy(&sg, data, sizeof(yr_segment_command_32_t)); + + int should_swap = should_swap_bytes(get_integer(object, "magic")); if (should_swap) swap_segment_command(&sg); @@ -376,7 +395,7 @@ // The array of yr_section_32_t starts where yr_segment_command_32_t ends. yr_section_32_t* sections = - (yr_section_32_t*) (command + sizeof(yr_segment_command_32_t)); + (yr_section_32_t*) (data + sizeof(yr_segment_command_32_t)); for (unsigned j = 0; j < sg.nsects; ++j) { @@ -431,15 +450,19 @@ } void macho_handle_segment_64( - const uint8_t* command, + const uint8_t* data, + size_t size, const unsigned i, YR_OBJECT* object) { - int should_swap = should_swap_bytes(get_integer(object, "magic")); + if (size < sizeof(yr_segment_command_64_t)) + return; yr_segment_command_64_t sg; - memcpy(&sg, command, sizeof(yr_segment_command_64_t)); + memcpy(&sg, data, sizeof(yr_segment_command_64_t)); + + int should_swap = should_swap_bytes(get_integer(object, "magic")); if (should_swap) swap_segment_command_64(&sg); @@ -463,13 +486,13 @@ for (unsigned j = 0; j < sg.nsects; ++j) { parsed_size += sizeof(yr_section_64_t); + if (sg.cmdsize < parsed_size) break; memcpy( &sec, - command + sizeof(yr_segment_command_64_t) + - (j * sizeof(yr_section_64_t)), + data + sizeof(yr_segment_command_64_t) + (j * sizeof(yr_section_64_t)), sizeof(yr_section_64_t)); if (should_swap) @@ -582,12 +605,10 @@ switch (command_struct.cmd) { case LC_SEGMENT: - if (command_struct.cmdsize >= sizeof(yr_segment_command_32_t)) - macho_handle_segment(command, seg_count++, object); + macho_handle_segment(command, size - parsed_size, seg_count++, object); break; case LC_SEGMENT_64: - if (command_struct.cmdsize >= sizeof(yr_segment_command_64_t)) - macho_handle_segment_64(command, seg_count++, object); + macho_handle_segment_64(command, size - parsed_size, seg_count++, object); break; } @@ -620,12 +641,10 @@ switch (command_struct.cmd) { case LC_UNIXTHREAD: - if (command_struct.cmdsize >= sizeof(yr_thread_command_t)) - macho_handle_unixthread(command, object, context); + macho_handle_unixthread(command, size - parsed_size, object, context); break; case LC_MAIN: - if (command_struct.cmdsize >= sizeof(yr_entry_point_command_t)) - macho_handle_main(command, object, context); + macho_handle_main(command, size - parsed_size, object, context); break; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.1.0/libyara/modules/pe/pe.c new/yara-4.1.1/libyara/modules/pe/pe.c --- old/yara-4.1.0/libyara/modules/pe/pe.c 2021-04-19 15:05:24.000000000 +0200 +++ new/yara-4.1.1/libyara/modules/pe/pe.c 2021-05-24 11:20:19.000000000 +0200 @@ -928,7 +928,7 @@ while (l < n && *c != '\0') { if ((*c >= 'a' && *c <= 'z') || (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || (*c == '_' || *c == '.' || *c == '-')) + (*c >= '0' && *c <= '9') || (*c == '_' || *c == '.' || *c == '-' || *c == '+')) { c++; l++; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yara-4.1.0/libyara/re.c new/yara-4.1.1/libyara/re.c --- old/yara-4.1.0/libyara/re.c 2021-04-19 15:05:24.000000000 +0200 +++ new/yara-4.1.1/libyara/re.c 2021-05-24 11:20:19.000000000 +0200 @@ -2022,7 +2022,6 @@ uint8_t mask; uint8_t value; - int i; int stop; int input_incr; int sp = 0; @@ -2058,8 +2057,16 @@ if (flags & RE_FLAGS_EXHAUSTIVE) { FAIL_ON_ERROR(callback( - flags & RE_FLAGS_BACKWARDS ? input + 1 : input_data, - bytes_matched, + // When matching forwards the matching data always starts at + // input_data, when matching backwards it starts at input + 1 or + // input_data - input_backwards_size if input + 1 is outside the + // buffer. + flags & RE_FLAGS_BACKWARDS + ? yr_max(input + 1, input_data - input_backwards_size) + : input_data, + // The number of matched bytes should not be larger than + // max_bytes_matched. + yr_min(bytes_matched, max_bytes_matched), flags, callback_args)); @@ -2125,7 +2132,7 @@ repeat_any_args = (RE_REPEAT_ANY_ARGS*) (ip + 1); next_opcode = ip + 1 + sizeof(RE_REPEAT_ANY_ARGS); - for (i = repeat_any_args->min + 1; i <= repeat_any_args->max; i++) + for (int i = repeat_any_args->min + 1; i <= repeat_any_args->max; i++) { if (bytes_matched + i >= max_bytes_matched) break; @@ -2148,7 +2155,7 @@ input += input_incr * repeat_any_args->min; bytes_matched += repeat_any_args->min; - bytes_matched = yr_min(bytes_matched, max_bytes_matched); + ip = next_opcode; break;
