./security/yara, Pattern matching swiss knife for malware researchers

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 4.1.1, Package name: yara-4.1.1, Maintainer: khorben

YARA is a tool aimed at (but not limited to) helping malware
researchers to identify and classify malware samples. With YARA
you can create descriptions of malware families (or whatever you
want to describe) based on textual or binary patterns.


Required to run:
[security/openssl]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 913.838 KB

Version history: (Expand)


CVS history: (Expand)


   2021-10-26 13:18:07 by Nia Alarie | Files touched by this commit (605)
Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
   2021-10-07 16:54:50 by Nia Alarie | Files touched by this commit (606)
Log message:
security: Remove SHA1 hashes for distfiles
   2021-06-05 04:58:18 by Makoto Fujiwara | Files touched by this commit (2)
Log message:
(security/yara) build fix: ERROR: [check-portability.awk]
   2021-05-30 03:22:05 by Pierre Pronchery | Files touched by this commit (2) | Package updated
Log message:
yara: update to version 4.1.1

YARA v4.1.1

 * BUGFIX: Accept the "+" character as valid in DLL names (#1501).
 * BUGFIX: Buffer overrun in "macho" module.
 * BUGFIX: Undefined behavior in Windows implementation of yr_filemap_xxx \ 
functions (#1302).
 * BUGFIX: Crash due to consecutive jumps in hex strings (#1492).

The yara-python repository does not offer a corresponding release.
   2021-05-30 03:16:28 by Pierre Pronchery | Files touched by this commit (9) | Package updated
Log message:
{,py-}yara: update to version 4.1.0

Since version 3.11.0:

YARA v4.1.0

 * New operators icontains, endswith, iendswith, startswith, istartswith.
 * Accept \t escape sequence in text strings.
 * Add --no-follow-links command-line option to yara.
 * Prevent yara from following links to "." (@1D2D).
 * Implemented non-blocking scanning API (@simonhf).
 * When a string causes too many matches, YARA raises a warning instead of \ 
failing (@wxsBSD).
 * BUGFIX: The use of --timeout could hang yara when scanning directories or \ 
lists of files (#1481).
 * BUGFIX: Incorrect parsing of PE certificates (#1443).
 * BUGFIX: Short-circuit evaluation not working fine with undefined expressions.

YARA v4.1.0-rc2

 * Don't raise warnings for non-ASCII strings.

YARA v4.1.0-rc1

 * New operators icontains, endswith, iendswith, startswith, istartswith.
 * Raise warnings for non-ascii strings.
 * Accept \t escape sequence in text strings.
 * Add --no-follow-links command-line option to yara.
 * Prevent yara from following links to "." (@1D2D).
 * Implemented non-blocking scanning API (@simonhf).
 * When a string causes too many matches, YARA raises a warning instead of failing.

YARA v4.0.5

 * BUGFIX: Fix bug in "macho" module introduced in v4.0.4.

YARA v4.0.4

 * BUGFIX: Multiple out-of-bounds reads in "macho" module.

Credits to Luis Merino from X41 D-SEC GmbH for reporting these issues.

YARA v4.0.3

 * BUGFIX: Multiple out-of-bounds read in "dotnet" module.

YARA v4.0.2

 * BUGFIX: Use-after-free bug in PE module (#1287).
 * BUGFIX: Incorrect errors in rules when a single rule is badly formatted (#1294).
 * BUGFIX: Assertion failed with rules that have invalid syntax (#1295).
 * BUGFIX: Integer overflow causing missed matches on files larger than 2GB (#1304).
 * BUGFIX: Crashes in Mac OS while scanning binaries with a signature that can't \ 
be verified (#1309).

YARA v4.0.1

 * Update sandboxed API (#1276).
 * BUGFIX: Fix regression in exports parsing in PE module (2bf67e6).
 * BUGFIX: Fix unaligned accesses in ARM (e1654ae).

YARA v4.0.0

 * New string modifiers base64 and base64wide (#1185).
 * New string modifier private (#1096).
 * Iterators for dictionaries and arrays (#1141).
 * Multiple API changes.
 * Memory footprint greatly reduced, specially when compiling large numbers of rules.
 * New commmand-line option --scan-list (#1261).
 * Added pdb_path field to "pe" module.
 * Added export_details array to "pe" module.
 * Added exports_index functions to "pe" module.
 * Improvements to "cuckoo" module.
 * BUGFIX: PE files with multiple signatures are parsed correctly (#940).
 * BUGFIX: Fix PE rich header parsing (#1164).
 * BUGFIX: Buffer overruns in "dotnet" module (#1167, #1173).
   2021-05-14 13:47:57 by Nia Alarie | Files touched by this commit (1)
Log message:
yara: needs flex
   2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836)
Log message:
*: Recursive revision bump for openssl 1.1.1.
   2019-12-14 11:46:09 by Pierre Pronchery | Files touched by this commit (7)
Log message:
security/yara: Update to 3.11.0

Coordinated with leot@ and he@ while investigating CVE-2019-19648.

The changes listed for this version include:

 * Duplicated string modifiers are now an error.
 * More flexible xor modifier.
 * Implement private strings (#1096)
 * Add field_offsets to dotnet module.
 * Implement crc32 functions in hash module.
 * Improvements to rich_signature functions in pe module.
 * Implement sandboxed API using SAPI
 * BUGFIX: Some regexp character classes not matching correctly when used with \ 
nocase modifier (#1117)
 * BUGFIX: Reduce the number of ERROR_TOO_MANY_RE_FIBERS errors for certain hex \ 
pattern containing large jumps (#1107)
 * BUGFIX: Buffer overrun in dotnet module (#1108)
 * BUGFIX: Segfault in certain Windows versions (#1068)
 * BUGFIX: Memory leak while attaching to a process fails (#1070)

Changes for version 3.10.0:

 * Optimize integer range loops by exiting earlier when possible.
 * Cache the result of PE module's imphash function in order to improve performance.
 * Harden virtual machine against malicious code.
 * BUGFIX: xor modifier not working as expected if not accompanied by ascii (#1053).
 * BUGFIX: \s and \S character classes in regular expressions now include \ 
vertical tab, new line, carriage return and form feed characters.
 * BUGFIX: Regression bug in hex strings containing wildcards (#1025).
 * BUGFIX: Buffer overrun in elf module.
 * BUGFIX: Buffer overrun in dotnet module

Changes for version 3.9.0:

 * Improve scan performance for certain strings.
 * Reduce stack usage.
 * Prevent inadvertent use of compiled rules by forcing the use of -C when using \ 
yara command-line tool.
 * BUGFIX: Buffer overflow in "dotnet" module.
 * BUGFIX: Internal error when running multiple instances of YARA in Mac OS X. (#945)
 * BUGFIX: Regexp regression when using nested quantifiers {x,y} for certain \ 
values of x and y. (#1018)
 * BUGFIX: High RAM consumption in "pe" module while parsing certain \ 
files.(0c8b461)
 * BUGFIX: Denial of service when using "dex" module. Found by the \ 
Cisco Talos team. (#1023)
 * BUGFIX: Issues with comments inside hex strings.

Changes for version 3.8.1:

 * BUGFIX: Some combinations of boolean command-line flags were broken in \ 
version 3.8.0.
 * BUGFIX: While reporting errors that occur at the end of the file, the file \ 
name appeared as null.
 * BUGFIX: dex module now works in big-endian architectures.
 * BUGFIX: Keep ABI compatibility by keeping deprecated functions visible.

Changes for version 3.8.0:

 * Scanner API
 * New xor modifier for strings
 * New fields and functions in PE module.
 * Add functions min and max to math module.
 * Make compiled.
 * yara and yaracsupport reading rules from stdin by using - as the file name.
 * Rule compilation is faster.
 * BUGFIX: Regression in regex engine. /ba{3}b/ was matching baaaab.
 * BUGFIX: Function yr_compiler_add_fd() was reading only the first 1024 bytes \ 
of the file.
 * BUGFIX: Wrong calculation of sha256 hashes in Windows when using native \ 
crypto API.
 * Lots of more bug fixes.

Changes for version 3.7.1:

 * Fix regression in include directive (issue #796)
 * Fix bug in PE checksum calculation causing wrong results in some cases.