Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test-magic failed with libmagic 5.44 and yara 4.2.3 #1853

Closed
hamarituc opened this issue Jan 2, 2023 · 1 comment · Fixed by #1854
Closed

test-magic failed with libmagic 5.44 and yara 4.2.3 #1853

hamarituc opened this issue Jan 2, 2023 · 1 comment · Fixed by #1854
Labels
bug

Comments

@hamarituc
Copy link
Contributor

Describe the bug

When running the test suite, the test test-magic fails in line 24 when compiled against libmagic version 5.44.

tests/test-magic.c:24: rule does not match (but should)
FAIL test-magic (exit status: 1)

It succeeds if yara is compiled against libmagic version 5.43.

To Reproduce

  1. Install libmagic version 5.44
  2. Compile
  3. Run test suite

Expected behavior

The test succeeds for both versions of libmagic.

Screenshots

The file /tmp/pe32 is extracted from the variable PE32_FILE of tests/blob.h:

With libmagic version 5.44:

$ file --version
file-5.44
magic file from /usr/share/misc/magic
seccomp support included
$ file -i /tmp/pe32
/tmp/pe32: application/vnd.microsoft.portable-executable; charset=binary
$ file /tmp/pe32   
/tmp/pe32: PE32 executable (GUI) Intel 80386, for MS Windows

With libmagic version 5.43:

$ file --version
file-5.43
magic file from /usr/share/misc/magic
seccomp support included
$ file /tmp/pe32   
/tmp/pe32: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
$ file -i /tmp/pe32
/tmp/pe32: application/x-dosexec; charset=binary

Please complete the following information:

  • OS: Gentoo Linux
  • YARA version: 4.2.3

Additional context

Maybe it's related to #1715. But there isn't enough data to judge. The change of behavior in #1715 was observed between versions 5.35 and 5.39 of libmagic, whereas here it's between 5.43 and 5.44. So I'd like to open an independent issue, because it's not quite sure whether the origin of the error is the same.

Seems to be a regression of #1713, #1714.

See also: https://bugs.gentoo.org/889182
@hamarituc hamarituc added the bug label Jan 2, 2023
@hamarituc
Copy link
Contributor Author

Even the patch in #1853 doesn't work. In my setup libmagic returns PE32 executable, but the test expects PE32+ executable.

hamarituc added a commit to hamarituc/yara that referenced this issue Jan 2, 2023
@hamarituc
test-magic: Update expected strings (VirusTotal#1853)
1b5d787 
As of file 5.44, some PE-related strings and MIME types have been
updated, causing the test to fail. This commit extends the fix in
0939464 to cover more cases.

closes VirusTotal#1853

See [Gentoo bug#889182](https://bugs.gentoo.org/889182)
@hamarituc hamarituc mentioned this issue Jan 2, 2023
Merged
plusvic pushed a commit that referenced this issue Jan 3, 2023
@hamarituc
test-magic: Update expected strings (#1853) (#1854)
26d5afc 
As of file 5.44, some PE-related strings and MIME types have been
updated, causing the test to fail. This commit extends the fix in
0939464 to cover more cases.

closes #1853

See [Gentoo bug#889182](https://bugs.gentoo.org/889182)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

test-magic: Update expected strings (#1853) hamarituc/yara
1 participant
@hamarituc