[arch-security] [ASA-201503-4] grep: denial of service

Levente Polyak anthraxx at archlinux.org
Thu Mar 5 00:14:33 UTC 2015

Arch Linux Security Advisory ASA-201503-4

Severity: Low
Date    : 2015-03-05
CVE-ID  : CVE-2015-1345
Package : grep
Type    : denial of service
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE


The package grep before version 2.21-2 is vulnerable to denial of
service via heap buffer out-of-bounds read.


Upgrade to 2.21-2.

# pacman -Syu "grep>=2.21-2"

The problem has been fixed upstream but no release is available yet.




The bmexec_trans function in kwset.c allows local users to cause a
denial of service (out-of-bounds heap read and crash) via crafted input
when using the -F option.

grep's read buffer is often filled to its full size, except when reading
the final buffer of a file. In that case, the number of bytes read may
be far less than the size of the buffer. However, for certain unusual
pattern/text combinations, grep -F would mistakenly examine bytes in
that uninitialized region of memory when searching for a match. With
carefully chosen inputs, one can cause grep -F to read beyond the end of
that buffer altogether. This problem arose via commit v2.18-90-g73893ff
with the introduction of a more efficient heuristic using what is now
the memchr_kwset function. The use of that function in bmexec_trans
could leave TP much larger than EP, and the subsequent call to
bm_delta2_search would mistakenly access beyond end of the main input
read buffer.


A local attacker is able to use specially crafted input when using the
-F option to cause a heap buffer out-of-bounds read leading to denial of



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150305/3d6cc7c6/attachment.asc>

More information about the arch-security mailing list