From d3af3f6f110000c7a5b4cdcc2fb25c0ab8d36817 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Thu, 7 May 2026 01:35:26 +0000 Subject: [PATCH 1/2] yara: modified Source0 with malware-scanner-tripping fixture stripped The upstream `yara-4.5.4.tar.gz` tarball ships `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated`, a deliberately obfuscated .NET binary used as an oss-fuzz seed-corpus input for YARA's own .NET parser fuzzer. The file is benign by intent (it is a fuzzer input, not a runtime artefact), but it matches generic .NET-obfuscator detection heuristics by design and is rejected by the automated malware scan in our package signing pipeline. --- base/comps/components.toml | 1 - base/comps/yara/modify_source.sh | 151 +++++++++++++++++++++++++++++++ base/comps/yara/yara.comp.toml | 59 ++++++++++++ locks/yara.lock | 2 +- specs/y/yara/sources | 2 +- specs/y/yara/yara.spec | 6 +- 6 files changed, 217 insertions(+), 4 deletions(-) create mode 100755 base/comps/yara/modify_source.sh create mode 100644 base/comps/yara/yara.comp.toml diff --git a/base/comps/components.toml b/base/comps/components.toml index d612b252650..8bde1a32425 100644 --- a/base/comps/components.toml +++ b/base/comps/components.toml @@ -7182,7 +7182,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml"] [components.yajl] [components.yaksa] [components.yaml-cpp] -[components.yara] [components.yarnpkg] [components.yelp] [components.yelp-tools] diff --git a/base/comps/yara/modify_source.sh b/base/comps/yara/modify_source.sh new file mode 100755 index 00000000000..232875dc36d --- /dev/null +++ b/base/comps/yara/modify_source.sh @@ -0,0 +1,151 @@ +#!/usr/bin/env bash +# +# yara — strip benign-but-scanner-tripping fixture from upstream tarball. +# +# Background +# ---------- +# An automated malware scan in the package signing pipeline rejects +# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` inside the upstream +# `yara-4.5.4.tar.gz` tarball. The file is a deliberately obfuscated +# .NET binary used as an oss-fuzz seed-corpus input for YARA's `.NET` +# parser fuzzer; it is benign but matches generic .NET-obfuscator +# heuristics by design. +# +# The `*_fuzzer.cc` oss-fuzz harnesses (and their `*_fuzzer_corpus/` +# directories) are NOT referenced from upstream's `Makefile.am`, so the +# autotools `make check` driver does not exercise them. Removing +# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` (and, optionally, +# the rest of the dotnet fuzzer corpus) does not affect the Azure Linux +# build or `%check`. +# +# This script repacks the upstream tarball with the offending file +# stripped, then prints the SHA512 of the modified artefact for use in +# `base/comps/yara/yara.comp.toml`'s `source-files` block. The +# modified tarball must be uploaded to the Azure Linux modified-source +# blob storage; its blob URL becomes the `source-files.origin.uri` in +# the comp TOML. +# +# Reproducibility notes +# --------------------- +# - The script uses `tar --sort=name --mtime=` flags to produce a +# byte-deterministic output, so re-running on the same upstream +# tarball must always yield the same SHA512. +# - `gzip -n` strips mtime/filename metadata from the gzip header for +# the same reason. +# +# Output location +# --------------- +# The script writes its outputs to `base/build/work/scratch/yara/` +# (resolved relative to the repository root). This path is covered by +# the repository's top-level `.gitignore` via `build/`, so no +# component-level `.gitignore` is needed and no script artefact can be +# accidentally committed. +# +# Usage: +# bash modify_source.sh +# +# Outputs (under base/build/work/scratch/yara/): +# yara-4.5.4-azl-stripped.tar.gz +# yara-4.5.4-azl-stripped.tar.gz.sha512 +# +# After running: +# 1. Upload `yara-4.5.4-azl-stripped.tar.gz` as the blob payload at +# the lookaside URL pattern (modified container) for filename +# `yara-4.5.4.tar.gz`. The exact URL is printed by this script. +# 2. The `hash` and `origin.uri` fields in +# `base/comps/yara/yara.comp.toml` are already populated for the +# SHA512 produced by this script; if your run produces a +# different SHA512, update both the `source-files.hash` value and +# the URI's `$hash` path segment to the new value. + +set -euo pipefail + +UPSTREAM_URL="https://github.com/VirusTotal/yara/archive/v4.5.4.tar.gz" +ORIGINAL_NAME="yara-4.5.4.tar.gz" +ORIGINAL_SHA512="b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51a1d31e044f9842ec3ab9c6ac9788fbdb89a1686c9e3f22f68d1f9e5fb3db22167" +MODIFIED_NAME="yara-4.5.4-azl-stripped.tar.gz" +EXTRACTED_DIRNAME="yara-4.5.4" + +# Files to remove from the upstream tarball. Keep this list explicit and +# short so the rationale is always auditable. +declare -a STRIP_PATHS=( + "${EXTRACTED_DIRNAME}/tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated" +) + +# Resolve the script's own directory, then walk up to the repo root so +# the work directory lands at base/build/work/scratch/yara/ no matter +# where the script is invoked from. Layout: +# /base/comps/yara/modify_source.sh <- this script +# /base/build/work/scratch/yara/ <- WORKDIR +SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)" +REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)" +WORKDIR="${REPO_ROOT}/base/build/work/scratch/yara" +mkdir -p "${WORKDIR}" +cd "${WORKDIR}" + +echo "[1/5] Downloading ${ORIGINAL_NAME} from upstream into ${WORKDIR}" +curl -fsSL --retry 3 -o "${ORIGINAL_NAME}" "${UPSTREAM_URL}" + +echo "[2/5] Verifying original SHA512" +COMPUTED_ORIGINAL_SHA512=$(sha512sum "${ORIGINAL_NAME}" | awk '{print $1}') +if [[ "${COMPUTED_ORIGINAL_SHA512}" != "${ORIGINAL_SHA512}" ]]; then + echo "ERROR: upstream SHA512 mismatch" >&2 + echo " expected: ${ORIGINAL_SHA512}" >&2 + echo " computed: ${COMPUTED_ORIGINAL_SHA512}" >&2 + exit 1 +fi + +echo "[3/5] Extracting" +rm -rf "${EXTRACTED_DIRNAME}" +tar -xzf "${ORIGINAL_NAME}" + +echo "[4/5] Stripping flagged paths" +for p in "${STRIP_PATHS[@]}"; do + if [[ ! -e "${p}" ]]; then + echo "ERROR: expected path not present in upstream: ${p}" >&2 + exit 1 + fi + rm -v "${p}" +done + +echo "[5/5] Repacking deterministically as ${MODIFIED_NAME}" +# --sort=name : deterministic file ordering +# --mtime : pin mtime to a fixed epoch so the output is reproducible +# --owner=0 --group=0 --numeric-owner : strip uid/gid/uname/gname +# gzip -n : do not store the mtime/filename in the gzip header +rm -f "${MODIFIED_NAME}" +tar --sort=name \ + --mtime='2024-01-01 00:00:00 UTC' \ + --owner=0 --group=0 --numeric-owner \ + -cf - "${EXTRACTED_DIRNAME}" | gzip -n -9 > "${MODIFIED_NAME}" + +MODIFIED_SHA512=$(sha512sum "${MODIFIED_NAME}" | awk '{print $1}') +echo "${MODIFIED_SHA512} ${MODIFIED_NAME}" > "${MODIFIED_NAME}.sha512" + +echo +echo "================================================================" +echo "DONE" +echo " modified tarball: ${WORKDIR}/${MODIFIED_NAME}" +echo " SHA512: ${MODIFIED_SHA512}" +echo "================================================================" +echo +echo "Next steps:" +echo " 1. Make sure you are logged in to Azure (one-time per shell):" +echo " az login" +echo " 2. Upload the modified tarball with this ready-to-paste command" +echo " (uploads to the lookaside 'repo' container under the" +echo " 'pkgs_modified/' prefix at the exact path" +echo " base/comps/yara/yara.comp.toml's source-files.origin.uri expects):" +echo +echo " az storage blob upload \\" +echo " --auth-mode login \\" +echo " --account-name azltempstaginglookaside \\" +echo " --container-name repo \\" +echo " --name \"pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/${MODIFIED_SHA512}/yara-4.5.4.tar.gz\" \\" +echo " --file \"${WORKDIR}/${MODIFIED_NAME}\"" +echo +echo " 3. The hash + URI in base/comps/yara/yara.comp.toml are" +echo " already populated for SHA512 ${MODIFIED_SHA512:0:16}...; if the" +echo " SHA512 above does NOT match, update both the source-files.hash" +echo " value, the URI's \$hash path segment, and the --name argument" +echo " in the upload command above to the new value." diff --git a/base/comps/yara/yara.comp.toml b/base/comps/yara/yara.comp.toml new file mode 100644 index 00000000000..0090cd63822 --- /dev/null +++ b/base/comps/yara/yara.comp.toml @@ -0,0 +1,59 @@ +# yara: serve a modified Source0 tarball with a benign-but-scanner- +# tripping .NET-obfuscator fuzzer-corpus fixture stripped. +# +# An automated malware scan in the package signing pipeline rejects +# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` inside the +# upstream `yara-4.5.4.tar.gz` tarball. The file is a deliberately +# obfuscated .NET binary that ships inside upstream's oss-fuzz seed +# corpus — its purpose is to be obfuscated, as a fuzzer input for +# YARA's own .NET parser — but it rides inside the SRPM payload that +# the malware scanner inspects, blocking signing. +# +# Removal at %prep time is too late: the malware scanner inspects the +# SRPM payload, which contains Source0 verbatim. The fix is to +# repack the upstream tarball with the offending file stripped and +# serve the modified artefact via the `source-files` block below. +# +# `make check` / `%check` is unaffected because the upstream +# Makefile.am does not reference `tests/oss-fuzz/**` (the oss-fuzz +# harnesses are exercised only by libFuzzer-driven CI, not by the +# autotools test driver). +# +# The actual modification is performed by `modify_source.sh` next to +# this TOML; the script writes its outputs to +# `base/build/work/scratch/yara/` (covered by the repository's +# top-level `.gitignore`) and prints the deterministic SHA512 of the +# modified tarball. Native `azldev`/TOML support for source +# modification is tracked internally as a follow-up; once that +# lands, both the script and the modified-blob detour can be +# retired. +[components.yara] + +# Upstream Fedora dist-git ships a `sources` file with the hash of +# the original `yara-4.5.4.tar.gz` tarball. Since we want to serve +# a *modified* tarball under the SAME filename (so the spec's +# Source0 line does not need to change), drop the upstream +# `sources` file before the `source-files` block below re-creates +# it with the modified-tarball SHA512. +[[components.yara.overlays]] +description = "Drop upstream Fedora `sources` file so the modified-tarball SHA512 in `source-files` below replaces (rather than conflicts with) the original `yara-4.5.4.tar.gz` entry." +type = "file-remove" +file = "sources" + +[[components.yara.source-files]] +filename = "yara-4.5.4.tar.gz" +hash = "57d3388dc9a84f58769679e26624be852d7c83e403ed60a21ae3ba4e1da9162dbc9bacf53d439793df67f4bc6a7fd38d600f10052df2e62255aed50687d2754a" +hash-type = "SHA512" +# The URI below mirrors the `lookaside-base-uri` pattern from +# `overrides/fedora.distro.azl.sources.toml` but routes to the +# `pkgs_modified` first path segment (instead of `pkgs`) inside +# the same `repo` container, so the source-fetch pipeline can +# serve the locally-modified tarball alongside upstream lookaside +# content while keeping all locally-modified tarballs trivially +# enumerable under one prefix. Pattern: +# https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/$pkg/$filename/$hashtype/$hash/$filename +# The maintainer must upload `yara-4.5.4-azl-stripped.tar.gz` +# (produced by `modify_source.sh` in this directory; its output +# lands at `base/build/work/scratch/yara/`) to this blob path +# before the component can fetch its source. +origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/57d3388dc9a84f58769679e26624be852d7c83e403ed60a21ae3ba4e1da9162dbc9bacf53d439793df67f4bc6a7fd38d600f10052df2e62255aed50687d2754a/yara-4.5.4.tar.gz" } diff --git a/locks/yara.lock b/locks/yara.lock index b2874af9505..547c550dabf 100644 --- a/locks/yara.lock +++ b/locks/yara.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3' upstream-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3' -input-fingerprint = 'sha256:022aa495b534857b8f135ebb7413367cad98f1bfc60336284c9616d0a685e0f8' +input-fingerprint = 'sha256:7c28a81998ea8835ada261c370411042b93fcca18221d29b88fdc64e0bccea1a' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/specs/y/yara/sources b/specs/y/yara/sources index 97951e017c9..2a317f6bbbb 100644 --- a/specs/y/yara/sources +++ b/specs/y/yara/sources @@ -1 +1 @@ -SHA512 (yara-4.5.4.tar.gz) = b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51a1d31e044f9842ec3ab9c6ac9788fbdb89a1686c9e3f22f68d1f9e5fb3db22167 +SHA512 (yara-4.5.4.tar.gz) = 57d3388dc9a84f58769679e26624be852d7c83e403ed60a21ae3ba4e1da9162dbc9bacf53d439793df67f4bc6a7fd38d600f10052df2e62255aed50687d2754a diff --git a/specs/y/yara/yara.spec b/specs/y/yara/yara.spec index f3ea7b01d96..da060673c20 100644 --- a/specs/y/yara/yara.spec +++ b/specs/y/yara/yara.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.8.3) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 4; + release_number = 5; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -201,6 +201,10 @@ make check || ( %changelog ## START: Generated by rpmautospec +* Thu May 07 2026 Pawel Winogrodzki - 4.5.4-5 +- yara: serve modified Source0 with malware-scanner-tripping fixture + stripped + * Thu Apr 30 2026 Daniel McIlvaney - 4.5.4-4 - feat: introduce deterministic commit resolution via Azure Linux lock file From 9a74ccbdc4ad3a9a847e763b39ed8de733685dc9 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Fri, 8 May 2026 20:43:08 +0000 Subject: [PATCH 2/2] Modifying comments. --- base/comps/yara/modify_source.sh | 76 ++++++++++++++------------------ base/comps/yara/yara.comp.toml | 29 ------------ 2 files changed, 33 insertions(+), 72 deletions(-) diff --git a/base/comps/yara/modify_source.sh b/base/comps/yara/modify_source.sh index 232875dc36d..60c611be1bb 100755 --- a/base/comps/yara/modify_source.sh +++ b/base/comps/yara/modify_source.sh @@ -48,15 +48,9 @@ # yara-4.5.4-azl-stripped.tar.gz # yara-4.5.4-azl-stripped.tar.gz.sha512 # -# After running: -# 1. Upload `yara-4.5.4-azl-stripped.tar.gz` as the blob payload at -# the lookaside URL pattern (modified container) for filename -# `yara-4.5.4.tar.gz`. The exact URL is printed by this script. -# 2. The `hash` and `origin.uri` fields in -# `base/comps/yara/yara.comp.toml` are already populated for the -# SHA512 produced by this script; if your run produces a -# different SHA512, update both the `source-files.hash` value and -# the URI's `$hash` path segment to the new value. +# After running upload `yara-4.5.4-azl-stripped.tar.gz` as the blob payload at +# the lookaside URL pattern (modified container) for filename +# `yara-4.5.4.tar.gz`. The exact URL is printed by this script. set -euo pipefail @@ -66,17 +60,11 @@ ORIGINAL_SHA512="b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51 MODIFIED_NAME="yara-4.5.4-azl-stripped.tar.gz" EXTRACTED_DIRNAME="yara-4.5.4" -# Files to remove from the upstream tarball. Keep this list explicit and -# short so the rationale is always auditable. +# Files to remove from the upstream tarball. declare -a STRIP_PATHS=( "${EXTRACTED_DIRNAME}/tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated" ) -# Resolve the script's own directory, then walk up to the repo root so -# the work directory lands at base/build/work/scratch/yara/ no matter -# where the script is invoked from. Layout: -# /base/comps/yara/modify_source.sh <- this script -# /base/build/work/scratch/yara/ <- WORKDIR SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)" REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)" WORKDIR="${REPO_ROOT}/base/build/work/scratch/yara" @@ -122,30 +110,32 @@ tar --sort=name \ MODIFIED_SHA512=$(sha512sum "${MODIFIED_NAME}" | awk '{print $1}') echo "${MODIFIED_SHA512} ${MODIFIED_NAME}" > "${MODIFIED_NAME}.sha512" -echo -echo "================================================================" -echo "DONE" -echo " modified tarball: ${WORKDIR}/${MODIFIED_NAME}" -echo " SHA512: ${MODIFIED_SHA512}" -echo "================================================================" -echo -echo "Next steps:" -echo " 1. Make sure you are logged in to Azure (one-time per shell):" -echo " az login" -echo " 2. Upload the modified tarball with this ready-to-paste command" -echo " (uploads to the lookaside 'repo' container under the" -echo " 'pkgs_modified/' prefix at the exact path" -echo " base/comps/yara/yara.comp.toml's source-files.origin.uri expects):" -echo -echo " az storage blob upload \\" -echo " --auth-mode login \\" -echo " --account-name azltempstaginglookaside \\" -echo " --container-name repo \\" -echo " --name \"pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/${MODIFIED_SHA512}/yara-4.5.4.tar.gz\" \\" -echo " --file \"${WORKDIR}/${MODIFIED_NAME}\"" -echo -echo " 3. The hash + URI in base/comps/yara/yara.comp.toml are" -echo " already populated for SHA512 ${MODIFIED_SHA512:0:16}...; if the" -echo " SHA512 above does NOT match, update both the source-files.hash" -echo " value, the URI's \$hash path segment, and the --name argument" -echo " in the upload command above to the new value." +cat <