Arch Linux Security Advisory ASA-201503-4 ========================================= Severity: Low Date : 2015-03-05 CVE-ID : CVE-2015-1345 Package : grep Type : denial of service Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package grep before version 2.21-2 is vulnerable to denial of service via heap buffer out-of-bounds read. Resolution ========== Upgrade to 2.21-2. # pacman -Syu "grep>=2.21-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== The bmexec_trans function in kwset.c allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option. grep's read buffer is often filled to its full size, except when reading the final buffer of a file. In that case, the number of bytes read may be far less than the size of the buffer. However, for certain unusual pattern/text combinations, grep -F would mistakenly examine bytes in that uninitialized region of memory when searching for a match. With carefully chosen inputs, one can cause grep -F to read beyond the end of that buffer altogether. This problem arose via commit v2.18-90-g73893ff with the introduction of a more efficient heuristic using what is now the memchr_kwset function. The use of that function in bmexec_trans could leave TP much larger than EP, and the subsequent call to bm_delta2_search would mistakenly access beyond end of the main input read buffer. Impact ====== A local attacker is able to use specially crafted input when using the -F option to cause a heap buffer out-of-bounds read leading to denial of service. References ========== http://seclists.org/oss-sec/2015/q1/179 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1345 https://bugs.archlinux.org/task/44017