On 04.07.2018 14:00, Sebastian Andrzej Siewior wrote:
Hi Sebastian,
> On 2018-07-03 09:04:21 [+0200], Bernhard Schmidt wrote:
>> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror():
>> /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
>> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror():
>> /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
>> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror():
>> /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
>> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror():
>> /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
>> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Warning: cli_loadyara: failed
>> to parse or load 7 yara rules from file
>> /var/lib/clamav/antidebug_antivm.yar, successfully
>> Jul 03 07:40:12 mail clamd[21927]: clamd: yara_exec.c:177: yr_execute_code:
>> Assertion `sp == 0' failed.
>>
>> 0.99.4+dfsg-1+deb9u1 -> 0.100.0+dfsg-0+deb9u1
>>
>> This is probably related to using third-party signatures, but still a
>> regression.
>
> okay. It is not just "probably". Could you please make the file
> available? I will try to forwarded it to clamav upstream and see what
> they intend to do about it. The progress on the github issue looks
> stale.
Attached. Note that antidebug_antivm.yar is the one with the errors on
loading, but the actual assertion is later when the first (?) mail is
processed with clamd. So it might be related to any of the .yara? files.
Thanks for looking into this.
Bernhard
clamav-yar.tgz
Description: application/gtar-compressed
