[arch-security] [ASA-201503-4] grep: denial of service
anthraxx at archlinux.org
Thu Mar 5 00:14:33 UTC 2015
Arch Linux Security Advisory ASA-201503-4
Date : 2015-03-05
CVE-ID : CVE-2015-1345
Package : grep
Type : denial of service
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
The package grep before version 2.21-2 is vulnerable to denial of
service via heap buffer out-of-bounds read.
Upgrade to 2.21-2.
# pacman -Syu "grep>=2.21-2"
The problem has been fixed upstream but no release is available yet.
The bmexec_trans function in kwset.c allows local users to cause a
denial of service (out-of-bounds heap read and crash) via crafted input
when using the -F option.
grep's read buffer is often filled to its full size, except when reading
the final buffer of a file. In that case, the number of bytes read may
be far less than the size of the buffer. However, for certain unusual
pattern/text combinations, grep -F would mistakenly examine bytes in
that uninitialized region of memory when searching for a match. With
carefully chosen inputs, one can cause grep -F to read beyond the end of
that buffer altogether. This problem arose via commit v2.18-90-g73893ff
with the introduction of a more efficient heuristic using what is now
the memchr_kwset function. The use of that function in bmexec_trans
could leave TP much larger than EP, and the subsequent call to
bm_delta2_search would mistakenly access beyond end of the main input
A local attacker is able to use specially crafted input when using the
-F option to cause a heap buffer out-of-bounds read leading to denial of
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security