The sized_string_cmp function in libyara/sizedstr.c in YARA 3.5.0 allows attackers to cause a denial of service (use-after-free and application crash) via a crafted rule. Upstream issue: https://github.com/VirusTotal/yara/issues/658 Upstream patch: https://github.com/VirusTotal/yara/commit/053e67e3ec81cc9268ce30eaf0d6663d8639ed1e
Created yara tracking bugs for this issue: Affects: epel-all [bug 1451383] Affects: fedora-all [bug 1451384]
Fixed in yara-3.6.0-1.fc26 yara-3.6.0-1.el7 yara-3.6.0-1.fc24 yara-3.6.0-1.fc25