VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.26k stars 1.44k forks source link

test-magic failed with libmagic 5.44 and yara 4.2.3 #1853

Closed hamarituc closed 1 year ago

hamarituc commented 1 year ago

Describe the bug

When running the test suite, the test test-magic fails in line 24 when compiled against libmagic version 5.44.

tests/test-magic.c:24: rule does not match (but should)
FAIL test-magic (exit status: 1)

It succeeds if yara is compiled against libmagic version 5.43.

To Reproduce

  1. Install libmagic version 5.44
  2. Compile
  3. Run test suite

Expected behavior

The test succeeds for both versions of libmagic.

Screenshots

The file /tmp/pe32 is extracted from the variable PE32_FILE of tests/blob.h:

With libmagic version 5.44:

$ file --version
file-5.44
magic file from /usr/share/misc/magic
seccomp support included
$ file -i /tmp/pe32
/tmp/pe32: application/vnd.microsoft.portable-executable; charset=binary
$ file /tmp/pe32   
/tmp/pe32: PE32 executable (GUI) Intel 80386, for MS Windows

With libmagic version 5.43:

$ file --version
file-5.43
magic file from /usr/share/misc/magic
seccomp support included
$ file /tmp/pe32   
/tmp/pe32: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
$ file -i /tmp/pe32
/tmp/pe32: application/x-dosexec; charset=binary

Please complete the following information:

Additional context

Maybe it's related to #1715. But there isn't enough data to judge. The change of behavior in #1715 was observed between versions 5.35 and 5.39 of libmagic, whereas here it's between 5.43 and 5.44. So I'd like to open an independent issue, because it's not quite sure whether the origin of the error is the same.

Seems to be a regression of #1713, #1714.

See also: https://bugs.gentoo.org/889182

hamarituc commented 1 year ago

Even the patch in #1853 doesn't work. In my setup libmagic returns PE32 executable, but the test expects PE32+ executable.