Debian Package Tracker

general

source: yara (main)
version: 3.11.0-2
maintainer: Debian Security Tools (DMD)
uploaders: Hilko Bengen [DMD]
arch: all any
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.1.0-2+deb8u1
oldstable: 3.5.0+dfsg-9
old-bpo: 3.8.1-2~bpo9+1
stable: 3.9.0-1
testing: 3.11.0-2
unstable: 3.11.0-2

versioned links

3.1.0-2+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.5.0+dfsg-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.8.1-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.9.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.11.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libyara-dev
libyara3
yara
yara-doc

action needed

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2019-19648: In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.

Please fix it.

Created: 2019-12-09 Last update: 2020-01-22 20:04

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2019-19648: In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.

Please fix it.

Created: 2019-12-09 Last update: 2020-01-22 20:04

12 security issues in jessie high

There are 12 open security issues in jessie.

1 important issue:

CVE-2019-19648: In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.

11 issues skipped by the security teams:

CVE-2017-8294: libyara/re.c in the regex component in YARA 3.5.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted rule that is mishandled in the yr_re_exec function.
CVE-2018-19976: In YARA 3.8.1, bytecode in a specially crafted compiled rule is exposed to information about its environment, in libyara/exec.c. This is a consequence of the design of the YARA virtual machine.
CVE-2017-9438: libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the _yr_re_emit function, a different vulnerability than CVE-2017-9304.
CVE-2017-11328: Heap buffer overflow in the yr_object_array_set_item() function in object.c in YARA 3.x allows a denial-of-service attack by scanning a crafted .NET file.
CVE-2018-19974: In YARA 3.8.1, bytecode in a specially crafted compiled rule can read uninitialized data from VM scratch memory in libyara/exec.c. This can allow attackers to discover addresses in the real stack (not the YARA virtual stack).
CVE-2018-19975: In YARA 3.8.1, bytecode in a specially crafted compiled rule can read data from any arbitrary address in memory, in libyara/exec.c. Specifically, OP_COUNT can read a DWORD.
CVE-2017-9465: The yr_arena_write_data function in YARA 3.6.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) or obtain sensitive information from process memory via a crafted file that is mishandled in the yr_re_fast_exec function in libyara/re.c and the _yr_scan_match_callback function in libyara/scan.c.
CVE-2017-8929: The sized_string_cmp function in libyara/sizedstr.c in YARA 3.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted rule.
CVE-2017-9304: libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule that is mishandled in the _yr_re_emit function.
CVE-2018-12035: In YARA 3.7.1 and prior, parsing a specially crafted compiled rule file can cause an out of bounds write vulnerability in yr_execute_code in libyara/exec.c.
CVE-2018-12034: In YARA 3.7.1 and prior, parsing a specially crafted compiled rule file can cause an out of bounds read vulnerability in yr_execute_code in libyara/exec.c.

Please fix them.

Created: 2017-04-03 Last update: 2020-01-22 20:04

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2020-02-13 Last update: 2020-02-17 19:54

3 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 12eeae27c08bb1c5af55f504807d2b46bbacff8e
Author: Samuel Henrique <samueloph@debian.org>
Date:   Sun Feb 9 18:38:33 2020 +0000

    Configure git-buildpackage for Debian

commit 21ae801fad2c48aa49fec71189a45e8454af3c1f
Author: Hilko Bengen <bengen@debian.org>
Date:   Sun Oct 13 01:36:21 2019 +0200

    Debian release 3.11.0-2

commit 8eacbe1e938a3ca110592154a7f527bb0ba147aa
Author: Hilko Bengen <bengen@debian.org>
Date:   Sun Oct 13 01:34:17 2019 +0200

    Add patch to fix FTBFS on s390x and other big-endian architectures

Created: 2019-10-13 Last update: 2020-02-17 11:11

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2019-19648: In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.

Please fix it.

Created: 2019-12-09 Last update: 2020-01-22 20:04

12 ignored security issues in stretch low

There are 12 open security issues in stretch.

12 issues skipped by the security teams:

CVE-2017-8294: libyara/re.c in the regex component in YARA 3.5.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted rule that is mishandled in the yr_re_exec function.
CVE-2018-19976: In YARA 3.8.1, bytecode in a specially crafted compiled rule is exposed to information about its environment, in libyara/exec.c. This is a consequence of the design of the YARA virtual machine.
CVE-2017-9438: libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the _yr_re_emit function, a different vulnerability than CVE-2017-9304.
CVE-2017-11328: Heap buffer overflow in the yr_object_array_set_item() function in object.c in YARA 3.x allows a denial-of-service attack by scanning a crafted .NET file.
CVE-2019-19648: In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2018-19974: In YARA 3.8.1, bytecode in a specially crafted compiled rule can read uninitialized data from VM scratch memory in libyara/exec.c. This can allow attackers to discover addresses in the real stack (not the YARA virtual stack).
CVE-2018-19975: In YARA 3.8.1, bytecode in a specially crafted compiled rule can read data from any arbitrary address in memory, in libyara/exec.c. Specifically, OP_COUNT can read a DWORD.
CVE-2017-9465: The yr_arena_write_data function in YARA 3.6.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) or obtain sensitive information from process memory via a crafted file that is mishandled in the yr_re_fast_exec function in libyara/re.c and the _yr_scan_match_callback function in libyara/scan.c.
CVE-2017-8929: The sized_string_cmp function in libyara/sizedstr.c in YARA 3.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted rule.
CVE-2017-9304: libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule that is mishandled in the _yr_re_emit function.
CVE-2018-12035: In YARA 3.7.1 and prior, parsing a specially crafted compiled rule file can cause an out of bounds write vulnerability in yr_execute_code in libyara/exec.c.
CVE-2018-12034: In YARA 3.7.1 and prior, parsing a specially crafted compiled rule file can cause an out of bounds read vulnerability in yr_execute_code in libyara/exec.c.

Please fix them.

Created: 2017-04-28 Last update: 2020-01-22 20:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.4.0).

Created: 2019-07-08 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-10-18] yara 3.11.0-2 MIGRATED to testing (Debian testing watch)
[2019-10-13] Accepted yara 3.11.0-2 (source) into unstable (Hilko Bengen)
[2019-10-10] Accepted yara 3.11.0-1 (source) into unstable (Hilko Bengen)
[2019-09-20] yara 3.10.0-2 MIGRATED to testing (Debian testing watch)
[2019-06-07] Accepted yara 3.10.0-2 (source) into unstable (Hilko Bengen)
[2019-05-03] Accepted yara 3.10.0-1 (source) into unstable (Hilko Bengen)
[2019-03-05] yara 3.9.0-1 MIGRATED to testing (Debian testing watch)
[2019-02-22] Accepted yara 3.9.0-1 (source) into unstable (Hilko Bengen)
[2018-12-27] Accepted yara 3.8.1-2~bpo9+1 (source) into stretch-backports (Hilko Bengen)
[2018-12-24] yara 3.8.1-2 MIGRATED to testing (Debian testing watch)
[2018-12-21] Accepted yara 3.8.1-2 (source) into unstable (Hilko Bengen)
[2018-08-22] Accepted yara 3.8.1-1~bpo9+1 (source) into stretch-backports (Hilko Bengen)
[2018-08-22] yara 3.8.1-1 MIGRATED to testing (Debian testing watch)
[2018-08-16] Accepted yara 3.8.1-1 (source) into unstable (Hilko Bengen)
[2018-08-15] yara 3.8.0-5 MIGRATED to testing (Debian testing watch)
[2018-08-09] Accepted yara 3.8.0-5 (source) into unstable (Hilko Bengen)
[2018-08-08] Accepted yara 3.8.0-4 (source) into unstable (Hilko Bengen)
[2018-08-07] Accepted yara 3.8.0-3 (source) into unstable (Hilko Bengen)
[2018-08-06] Accepted yara 3.8.0-2 (source) into unstable (Hilko Bengen)
[2018-08-06] Accepted yara 3.8.0-1 (source) into unstable (Hilko Bengen)
[2018-07-11] Accepted yara 3.7.1-3~bpo9+1 (source) into stretch-backports (Hilko Bengen)
[2018-06-22] yara 3.7.1-3 MIGRATED to testing (Debian testing watch)
[2018-06-17] Accepted yara 3.7.1-3 (source) into unstable (Hilko Bengen)
[2018-02-19] yara 3.7.1-2 MIGRATED to testing (Debian testing watch)
[2018-02-13] Accepted yara 3.7.1-2 (source) into unstable (Hilko Bengen)
[2018-01-21] yara 3.7.1-1 MIGRATED to testing (Debian testing watch)
[2018-01-16] Accepted yara 3.7.1-1 (source) into unstable (Hilko Bengen)
[2017-12-08] Accepted yara 3.7.0-5~bpo9+1 (source amd64 all) into stretch-backports, stretch-backports (Hilko Bengen)
[2017-11-30] yara 3.7.0-5 MIGRATED to testing (Debian testing watch)
[2017-11-24] Accepted yara 3.7.0-5 (source) into unstable (Hilko Bengen)

bugs [bug history graph]

all: 0

links

homepage
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.9.0-1