Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

libs: yara: 4.2.3 -> 4.5.4 #8643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 30, 2025
Merged

libs: yara: 4.2.3 -> 4.5.4 #8643

merged 1 commit into from
Jul 30, 2025

Conversation

LeSuisse
Copy link
Contributor

@LeSuisse LeSuisse commented Jul 8, 2025

@zwass
Copy link
Member

zwass commented Jul 16, 2025

This seems to build just fine on my Mac and a Ubuntu 24.04 VM. Trying to dig into what might be different in CI here.

@Smjert
Copy link
Member

Smjert commented Jul 16, 2025
edited
Loading

I can reproduce the issue on Linux.

There's also a similar issue upstream had VirusTotal/yara#2000, and it's because they missed a file in their own build (which we are also missing, after the Yara update).

Every time we update the version of a library we should really re-run all the steps, on all the platforms, to get the hardcoded configuration we write in our CMakeLists file.

For Linux especially this means to concretely take a VM with the minimum version of Linux we support (CentOS 7), use the library own build system to configure it against that OS version and to determine files to build, flags to pass and so on.

It's not guaranteed that a build failure exists (an API interface change) to indicate that this procedure must be done. You could get differences in performance, functionality or plain memory corruption

@LeSuisse
Copy link
Contributor Author

Yep it's on my todo list that's why the PR is still in draft for now.

@ksykulev
Copy link
Contributor

ksykulev commented Jul 17, 2025
edited
Loading

I was able to reproduce this locally on my mac with sdk 15.5
Screenshot 2025-07-17 at 10 32 02 AM
Here is what I had to add to my yara cmakelists.txt to get it to work

diff --git a/libraries/cmake/source/yara/CMakeLists.txt b/libraries/cmake/source/yara/CMakeLists.txt
index dca9e2010..45519a68d 100644
--- a/libraries/cmake/source/yara/CMakeLists.txt
+++ b/libraries/cmake/source/yara/CMakeLists.txt
@@ -37,12 +37,16 @@ function(yaraMain)
     "${library_root}/rules.c"
     "${library_root}/scan.c"
     "${library_root}/scanner.c"
+    "${library_root}/simple_str.c"
     "${library_root}/sizedstr.c"
     "${library_root}/stack.c"
     "${library_root}/stopwatch.c"
     "${library_root}/stream.c"
     "${library_root}/strutils.c"
     "${library_root}/threading.c"
+    "${library_root}/tlshc/tlsh.c"
+    "${library_root}/tlshc/tlsh_impl.c"
+    "${library_root}/tlshc/tlsh_util.c"
     "${library_root}/modules/console/console.c"
     "${library_root}/modules/dex/dex.c"
     "${library_root}/modules/dotnet/dotnet.c"
@@ -52,6 +56,12 @@ function(yaraMain)
     "${library_root}/modules/math/math.c"
     "${library_root}/modules/pe/pe.c"
     "${library_root}/modules/pe/pe_utils.c"
+    "${library_root}/modules/pe/authenticode-parser/authenticode.c"
+    "${library_root}/modules/pe/authenticode-parser/certificate.c"
+    "${library_root}/modules/pe/authenticode-parser/countersignature.c"
+    "${library_root}/modules/pe/authenticode-parser/helper.c"
+    "${library_root}/modules/pe/authenticode-parser/structs.c"
+    "${library_root}/modules/string/string.c"
     "${library_root}/modules/tests/tests.c"
     "${library_root}/modules/time/time.c"
   )
@@ -101,7 +111,10 @@ function(yaraMain)
   target_compile_definitions(thirdparty_yara PRIVATE
     DOTNET_MODULE
     HASH_MODULE
+    PE_MODULE
+    STRING_MODULE
     HAVE_LIBCRYPTO=1
+    BUCKETS_256
     ${yara_strutils_definitions}
   )

@ksykulev
Copy link
Contributor

My build flags

$ cmake -DOSQUERY_VERSION=5.18.1 -DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ ..

@LeSuisse
Copy link
Contributor Author

Rebased, adjusted the build config and made some tests. This should be good to go.

@LeSuisse LeSuisse marked this pull request as ready for review July 28, 2025 09:25
@LeSuisse LeSuisse requested review from a team as code owners July 28, 2025 09:25
zwass
zwass reviewed Jul 29, 2025
View reviewed changes
libraries/third_party_libraries_manifest.json Outdated
"version": "4.5.4",
"commit": "7ff39042be5c63682a037e13a75221d59393cf8b",
"ignored-cves": [
"CVE-2021-45429"
Copy link
Member

@zwass zwass Jul 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove this now? Seems like it was already not applicable in the 4.2.3 version we were using.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, updated!

zwass
zwass reviewed Jul 29, 2025
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but let's remove that ignored CVE if it's no longer relevant.

@zwass zwass mentioned this pull request Jul 29, 2025
Closed
22 tasks
zwass
zwass approved these changes Jul 30, 2025
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you!

@zwass zwass merged commit 9c38cfc into osquery:master Jul 30, 2025
22 checks passed
@LeSuisse LeSuisse deleted the yara-4.5.4 branch July 31, 2025 06:02
@noahtalerman noahtalerman mentioned this pull request Sep 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zwass zwass zwass approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@LeSuisse @zwass @Smjert @ksykulev
Morty Proxy This is a proxified and sanitized view of the page, visit original site.