fix(yara): strip 3 more OSS-Fuzz corpus fixtures#17343
Open
PawelWMS wants to merge 1 commit into
Open
Conversation
PawelWMS
force-pushed
the
pawelwi/yara-strip-fuzz-corpus
branch
from
93d6aee to
d102de2
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the yara component’s modified Source0 tarball to strip three additional OSS-Fuzz seed-corpus fixtures that are benign but trip malware-scanner heuristics, and refreshes the component metadata/locks/rendered specs accordingly.
Changes:
- Extend
base/comps/yara/modify_source.shto remove three additionaltests/oss-fuzz/*_fuzzer_corpus/*entries. - Update
base/comps/yara/yara.comp.tomlto point at the newly repacked tarball (new SHA512 + lookaside URI) and adjustreplace-reason. - Refresh
locks/yara.lockand re-renderspecs/y/yara/{sources,yara.spec}(release/changelog + sources checksum).
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| base/comps/yara/modify_source.sh | Adds three new corpus paths to the deterministic strip/repack flow and updates in-script documentation near STRIP_PATHS. |
| base/comps/yara/yara.comp.toml | Updates Source0 replacement SHA512 and blob URI to the newly repacked tarball; refines replace-reason. |
| locks/yara.lock | Refreshes input-fingerprint for the updated component inputs. |
| specs/y/yara/sources | Updates the recorded SHA512 for yara-4.5.4.tar.gz to the modified tarball hash. |
| specs/y/yara/yara.spec | Re-rendered output: release bump and new rpmautospec changelog entry. |
PawelWMS
force-pushed
the
pawelwi/yara-strip-fuzz-corpus
branch
2 times, most recently
from
3f55cf0 to
a0297f2
Compare
reubeno
requested changes
May 20, 2026
Member
reubeno
left a comment
reubeno
left a comment
There was a problem hiding this comment.
Change looks fine; could you update to use conventional commits in the commit and PR, please?
PawelWMS
changed the title
A subsequent scan pass on `yara-4.5.4-5.azl4.src.rpm` flagged three additional benign oss-fuzz seed-corpus inputs that the original fix (PR #17097) did not catch: - `tests/oss-fuzz/dex_fuzzer_corpus/27fb31059503773723597edb875c937af971a6c15f91aac8c03c1fbdfa9e918c` - `tests/oss-fuzz/dex_fuzzer_corpus/b343d1058063e6e4b652ccf0589f93d0dbb6b092960e4aebc3c3c58894831359` - `tests/oss-fuzz/dotnet_fuzzer_corpus/buggy_stream_names` The DEX corpora trip generic Android-packer heuristics; the .NET entry trips a high-entropy-entrypoint packer heuristic. All three are deliberately-pathological fuzzer-corpus inputs that exercise YARA's DEX and .NET parsers via libFuzzer harnesses. They are NOT referenced from `Makefile.am`, so the autotools `make check` driver does not consume them and no companion `Makefile.am` edit is needed -- the existing `test-pe` removal from PR #17097 is orthogonal (it targets `tests/data/` PE fixtures, not the `tests/oss-fuzz/*_fuzzer_corpus/` directories). Files: - `base/comps/yara/modify_source.sh`: append the three new paths to `STRIP_PATHS` (now sorted alphabetically). Rewrite both comment blocks (the file-level `Background` header and the one above `STRIP_PATHS`) to reflect the full current strip scope: oss-fuzz seed corpora under `tests/oss-fuzz/`, plus four hash-named PE fixtures under `tests/data/` (three SHA-256-named plus one `.upx`-suffixed sibling). - `base/comps/yara/yara.comp.toml`: refresh `hash` and `origin.uri` to point at the new modified-tarball SHA-512 (`94d4aab0...d7b646b`). Slim down `replace-reason` to a short pointer; the detailed list lives in `modify_source.sh`. - `locks/yara.lock`: refreshed `input-fingerprint`. - `specs/y/yara/{yara.spec,sources}`: re-rendered (release bump to 6, updated source SHA-512, new `%changelog` entry).
PawelWMS
force-pushed
the
pawelwi/yara-strip-fuzz-corpus
branch
from
a0297f2 to
e277263
Compare
📄❌ Rendered specs are out of dateFIX: — run this and commit the result: azldev component render yaraOr download the fix patch and apply it: gh run download 26179217382 -R microsoft/azurelinux -n rendered-specs-patch
git apply rendered-specs.patch
Content diffs`specs/y/yara/yara.spec`--- committed/specs/y/yara/yara.spec
+++ rendered/specs/y/yara/yara.spec
@@ -202,7 +202,7 @@
%changelog
## START: Generated by rpmautospec
* Mon May 18 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.5.4-6
-- yara: strip 3 more oss-fuzz corpus fixtures flagged by fresh scan
+- fix(yara): strip 3 more oss-fuzz corpus fixtures flagged by fresh scan
* Thu May 14 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.5.4-5
- yara: serve modified Source0 with malware-flagged test fixtures stripped
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to PR #17097: a fresh scan on
yara-4.5.4-5.azl4.src.rpmflagged three additional benign oss-fuzz seed-corpus inputs that the original fix did not catch. This change appends them toSTRIP_PATHSinbase/comps/yara/modify_source.sh.Newly stripped paths (all under
tests/oss-fuzz/):dex_fuzzer_corpus/27fb31059503773723597edb875c937af971a6c15f91aac8c03c1fbdfa9e918cdex_fuzzer_corpus/b343d1058063e6e4b652ccf0589f93d0dbb6b092960e4aebc3c3c58894831359dotnet_fuzzer_corpus/buggy_stream_namesHeuristics tripping on them: generic Android-packer detection on the DEX entries, and a high-entropy-entrypoint packer detection on the .NET entry.
Why no further
Makefile.ameditThese three files live under
tests/oss-fuzz/*_fuzzer_corpus/directories. The merged PR #17097'smodify_source.shalready documents that these directories are not referenced from upstream'sMakefile.am— they are consumed only by libFuzzer harnesses, not by the autotoolsmake checkdriver. So the existingMakefile.amedit that dropstest-pe(which is for thetests/data/PE fixtures) remains correct and complete; no companion edit is needed for the fuzzer-corpus additions.Files
base/comps/yara/modify_source.sh— append three new entries toSTRIP_PATHS(now sorted alphabetically); rewrite both comment blocks (the file-levelBackgroundheader and the one aboveSTRIP_PATHS) to reflect the full current strip scope: oss-fuzz seed corpora undertests/oss-fuzz/, plus four hash-named PE fixtures undertests/data/(three SHA-256-named plus one.upx-suffixed sibling).base/comps/yara/yara.comp.toml— refreshhash+origin.urito new modified-tarball SHA-512 (94d4aab0…d7b646b); slimreplace-reasonto a short pointer (detailed list lives inmodify_source.sh).locks/yara.lock— refreshedinput-fingerprint.specs/y/yara/{yara.spec,sources}— re-rendered: release bumped to 6, sources SHA-512 swapped to the modified-tarball hash, new%changelogentry.