Hi Mark,
Unfortunately, as of right now the only way to get pcre 8.38 is via their
rc1 candidate (check the pcre-dev mailing list for a tarball).
In practice, the pcre exploit ClamAV warns about (
http://www.securitytracker.com/id/1032453) relies upon an explicitly
malicious regex, so you don't have to worry too much unless you're using
untrusted sigs. Everything should still compile and run just fine, even
with 8.37.
- Mickey
On Fri, Nov 20, 2015 at 8:08 AM, Mark Allan wrote:
> Hi all,
>
> I saw the blog post about v0.99 rc 2 and have downloaded it for testing.
>
> It looks like bug 11411 [
> https://bugzilla.clamav.net/show_bug.cgi?id=11411 ] is still open, so I
> decided to download and build PCRE as well.
>
> I initially tried the PCRE2 branch but it wasn't recognised by ClamAV's
> configure script, so I went with the most up-to-date version of PCRE (which
> is currently 8.37) but now configure outputs the following:
>
> configure: WARNING: The installed pcre version may contain a security bug.
> Please upgrade to 8.38 or later: http://www.pcre.org
>
> There is no 8.38 that I can see:
> https://sourceforge.net/projects/pcre/files/pcre/
>
> Are you just assuming that 8.38 will be coming soon to fix the bug, or is
> there a download somewhere that I'm not seeing?
>
> Thanks
> Mark
>
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml
