fix(yara): modified Source0 with malware-scanner-tripping fixture stripped#17097
Open
PawelWMS wants to merge 2 commits intotomls/base/mainfrom
Open
fix(yara): modified Source0 with malware-scanner-tripping fixture stripped#17097PawelWMS wants to merge 2 commits intotomls/base/mainfrom
PawelWMS wants to merge 2 commits intotomls/base/mainfrom
Conversation
The upstream `yara-4.5.4.tar.gz` tarball ships `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated`, a deliberately obfuscated .NET binary used as an oss-fuzz seed-corpus input for YARA's own .NET parser fuzzer. The file is benign by intent (it is a fuzzer input, not a runtime artefact), but it matches generic .NET-obfuscator detection heuristics by design and is rejected by the automated malware scan in our package signing pipeline.
PawelWMS
requested review from
christopherco,
ddstreetmicrosoft and
reubeno
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts the yara component to use a repacked upstream Source0 tarball with a benign OSS-Fuzz fixture removed, avoiding false-positive malware detection during the signing pipeline while keeping the spec’s Source0 filename stable.
Changes:
- Add a dedicated
yara.comp.tomlthat removes the upstreamsourcesfile and replacesSource0viasource-filespointing at a modified-tarball blob URL. - Update rendered
yaraspec metadata (release bump + changelog) and thesourcesSHA512 to match the modified tarball. - Add a helper script (
modify_source.sh) to deterministically repack the upstream tarball with the flagged fixture stripped.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| specs/y/yara/yara.spec | Release bump and changelog entry reflecting the modified Source0 artifact. |
| specs/y/yara/sources | Updates SHA512 for yara-4.5.4.tar.gz to the modified tarball hash. |
| locks/yara.lock | Refreshes input fingerprint to reflect the new component configuration/source. |
| base/comps/yara/yara.comp.toml | Introduces component customization: drop upstream sources and define source-files to fetch the modified tarball. |
| base/comps/yara/modify_source.sh | Adds deterministic repack script to strip the malware-scanner-tripping fixture and output the required SHA512. |
| base/comps/components.toml | Removes yara from the inline unmodified-component list now that it has a dedicated .comp.toml. |
PawelWMS
commented
May 8, 2026
Comment on lines
+38
to
+41
| [[components.yara.overlays]] | ||
| description = "Drop upstream Fedora `sources` file so the modified-tarball SHA512 in `source-files` below replaces (rather than conflicts with) the original `yara-4.5.4.tar.gz` entry." | ||
| type = "file-remove" | ||
| file = "sources" |
Contributor
Author
There was a problem hiding this comment.
Checking if we can do better than this or a pattern replacement in the sources file.
PawelWMS
force-pushed
the
pawelwi/yara-strip-obfuscated
branch
from
49c1d00 to
9a74ccb
Compare
📄❌ Rendered specs are out of dateFIX: — run this and commit the result: azldev component render yaraOr download the fix patch and apply it: gh run download 25578576227 -R microsoft/azurelinux -n rendered-specs-patch
git apply rendered-specs.patch
Content diffs`specs/y/yara/yara.spec`--- committed/specs/y/yara/yara.spec
+++ rendered/specs/y/yara/yara.spec
@@ -202,8 +202,7 @@
%changelog
## START: Generated by rpmautospec
* Thu May 07 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.5.4-5
-- yara: serve modified Source0 with malware-scanner-tripping fixture
- stripped
+- yara: modified Source0 with malware-scanner-tripping fixture stripped
* Thu Apr 30 2026 Daniel McIlvaney <damcilva@microsoft.com> - 4.5.4-4
- feat: introduce deterministic commit resolution via Azure Linux lock file
|
PawelWMS
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The upstream
yara-4.5.4.tar.gztarball shipstests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated, a deliberately obfuscated .NET binary used as an oss-fuzz seed-corpus input for YARA's own .NET parser fuzzer. The file is benign by intent (it is a fuzzer input, not a runtime artefact), but it matches generic .NET-obfuscator detection heuristics by design and is rejected by the automated malware scan in our package signing pipeline.Koji build.