Skip to content

Releases: VirusTotal/yara

YARA v4.5.2

10 Sep 09:41
@plusvic plusvic
v4.5.2
688268d
This commit was signed with the committer’s verified signature.
plusvic Victor M. Alvarez
GPG key ID: 8DCC0C6CA10F526A
Learn about vigilant mode.
Compare
Choose a tag to compare
YARA v4.5.2 Latest
Latest
  • Increase the limit for the maximum number of rows in dotnet module (608fb3d).
  • Limit resource names to 1000 character at most (3f5b4c7).
  • Recover from syntax error at the end of an included file (4fc1ff8).
  • BUGFIX: Crash while parsing PE Rich headers with certain files (cbc982d).
  • BUGFIX: Segfault with regular expressions that matched the zero-length string (8616165).
  • BUGFIX: Mitigate stack overflow when scanning very deep directory trees (2a9f61d).
  • BUGFIX: Fix regression introduced in 6209630 (44fd094).
Assets 4
Loading

YARA v4.5.1

25 May 14:24
@plusvic plusvic
v4.5.1
0e5b6bb
Compare
Choose a tag to compare
YARA v4.5.1
  • Allow spaces in regexp repetition operators (e.g: {n, m}).
  • BUGFIX: matches operator was not matching empty strings (#c80cd9d).
  • BUGFIX: Several bugs in array type handling in dotnet module (#2064).
  • BUGFIX: Fix issue while parsing .NET files (5bf72f2).
  • BUGFIX: Fix issues while parsing PE resources (c009195, 4793b49).
  • BUGFIX: Infinite loop while parsing corrupt PE files (e453eb1).
  • BUGFIX: OOM errors while parsing corrupt PE files (4b9b4c0, 1be9811).
  • BUGFIX: Build issue in Alpine Linux due to pread64 not found (#2050).
  • BUGFIX: Issue while parsing rich header in some PE files (4793b49).
Assets 4
Loading

YARA v4.5.0

13 Feb 11:40
@plusvic plusvic
v4.5.0
8fa55cd
Compare
Choose a tag to compare
YARA v4.5.0
  • Unreferenced strings are allowed if their identifier start with _ (#1941)
  • New command-line option --disable-console-logs for disabling the output of the console module (#1915)
  • New command-line option --strict-escape that raises warnings on unknown escape sequences (#1880).
  • Improve performance by avoiding the execution of rule conditions that can't match (#1927)
  • Add callback message CALLBACK_MSG_TOO_SLOW_SCANNING for notifying about slow rules (#1921).
  • Expose function RVA in pe.export_details(#1882).
  • BUGFIX: Fix issues in the computation of imphash in pe module (#1944). Credits to the NSHC ThreatRecon team!
    BUGFIX: Fix multiple out-of-bound memory reads in dex module (#1949, #1951).
  • BUGFIX: Fix memory alignment issues (#1930).
  • BUGFIX: Some strings with the wide and ascii modifiers not matching as they should (#1933).
  • BUGFIX: Some rules not matching when --fast-scan is used (4de3d57)
  • BUGFIX: Properly list memory regions while scanning processes in Mac OS. (#2033)
  • BUGFIX: RFC5652 countersignatures are now correctly parsed in pe module (#2034)
  • BUGFIX: Fix potential DoS due to crashes in authenticode parser with malformed files (#2034) CVE-2024-26364. Credits to Bahaa Naamneh!
  • BUGFIX: Fix SIGSEGV in magic module when libmagic returns null pointer (3342aa0)
  • BUGFIX: Prevent infinite recursion while following symlinks (923368e)

Thanks to: @mgoffin, @wxsBSD, @cblichmann, @secDre4mer, @vthib, @regeciovad, @kylereedmsft, @TommYDeeee, @humpalum, @metthal

Contributors

cblichmann, mgoffin, and 8 other contributors
Assets 4
Loading

YARA v4.4.0

13 Feb 11:39
@plusvic plusvic
v4.4.0
1a85738
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
YARA v4.4.0 
fix: If any signature is valid, the file is properly signed (#1936)
Assets 4
Loading

YARA v4.3.2

12 Jun 14:28
@plusvic plusvic
v4.3.2
d1ff3ec
Compare
Choose a tag to compare
YARA v4.3.2
  • BUGFIX: assertion triggered with certain hex patterns when scanning arbitrary files (bcc6312). Reported by Huawei Central Software Institute Security Team.
Assets 4
Loading

YARA v4.3.1

21 Apr 08:26
@plusvic plusvic
v4.3.1
a6f6ce1
Compare
Choose a tag to compare
YARA v4.3.1
  • BUGFIX: Functions import_rva and import_delayed_rva are now case-insensitive (#1904)
  • BUGFIX: Fix heap-related issue in dotnet module on Windows (#1902)
  • BUGFIX: Fix heap corruption with certain rules that have very long string sets (67cccf0)
Assets 4
Loading

YARA v4.3.0

27 Mar 14:36
@plusvic plusvic
v4.3.0
96790e5
Compare
Choose a tag to compare
YARA v4.3.0
  • Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
  • for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
  • of statement can be used with at (e.g. any of them at 0) (#1790).
  • Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
  • Implement the --skip-larger command-line option in Windows (#1678).
  • Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
  • Improve certificate parsing and validation in "pe" module (#1623).
  • Add telfhash() function to "elf" module (#1624).
  • Add to_int() and to_string() functions to "math" module (#1767).
  • Improve error reporting on certain edge cases (#1709, #1722).
  • BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
  • BUGFIX: Fix implementation of math.serial_correlation(#1771).
  • BUGFIX: Fix infinite recursion in dotnet module (#1794).
  • BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1 (c2557fc).
  • BUGFIX: Fix several endianess issues (#1884, #1874, #1855).

Thanks to @shanehuntley, @1ndahous3, @HoundThe, @wxsBSD, @vthib, @eeyss01.

Contributors

shanehuntley, wxsBSD, and 4 other contributors
Assets 4
Loading

YARA v4.3.0-rc1

30 Dec 17:23
@plusvic plusvic
v4.3.0-rc1
8b8384d
Compare
Choose a tag to compare
YARA v4.3.0-rc1 Pre-release
Pre-release
  • Added a not operator for bytes in hex strings. Example: {01 ~02 03} (#1676).
  • for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) (#1787).
  • of statement can be used with at (e.g. any of them at 0) (#1790).
  • Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings (#1745).
  • Implement the --skip-larger command-line option in Windows (#1678).
  • Add parsing of .NET user types from .NET metadata stream in "dotnet" module (#1605).
  • Improve certificate parsing and validation in "pe" module (#1623).
  • Add telfhash() function to "elf" module (#1624).
  • Add to_int() and to_string() functions to "math" module (#1767).
  • Improve error reporting on certain edge cases (#1709, #1722).
  • BUGFIX: Fix multiple memory alignment issues causing crashes in non-x86 platforms (#1724).
  • BUGFIX: Fix implementation of math.serial_correlation(#1771).
  • BUGFIX: Fix infinite recursion in dotnet module (#1794).
  • BUGFIX: Fix SIGFPE when dividing INT64_MIN by -1.

Thanks to @shanehuntley, @1ndahous3, @HoundThe, @wxsBSD, @vthib

Contributors

shanehuntley, wxsBSD, and 3 other contributors
Assets 4
Loading

YARA v4.2.3

09 Aug 07:43
@plusvic plusvic
v4.2.3
ba94b4f
Compare
Choose a tag to compare
YARA v4.2.3
  • BUGFIX: Fix security issue that can lead to arbitrary code execution (b77e4f4, b77e4f4). Thanks to ANSSI - CERT-FR for the report.
  • BUGFIX: Fix incorrect logic in expressions like <quantifier> of <string_set> in (start..end (#1757).
Assets 4
Loading

YARA v4.2.2

30 Jun 09:08
@plusvic plusvic
v4.2.2
d5a7565
Compare
Choose a tag to compare
YARA v4.2.2
  • BUGFIX: Fix buffer overrun in "dex" module (#1728).
  • BUGFIX: Wrong offset used when checking Version string of .net metadata (#1708).
  • BUGFIX: YARA doesn't compile if --with-debug-verbose flag is enabled (#1719).
  • BUGFIX: Null-pointer dereferences while loading corrupted compiled rules (#1727).

Thanks to @sudhackar, @wxsBSD, @dangodangodango, @MatejKastak

Contributors

wxsBSD, sudhackar, and 2 other contributors
Assets 4
Loading