[arch-security] [ASA-201503-4] grep: denial of service
Levente Polyak
anthraxx at archlinux.org
Thu Mar 5 00:14:33 UTC 2015
Arch Linux Security Advisory ASA-201503-4
=========================================
Severity: Low
Date : 2015-03-05
CVE-ID : CVE-2015-1345
Package : grep
Type : denial of service
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package grep before version 2.21-2 is vulnerable to denial of
service via heap buffer out-of-bounds read.
Resolution
==========
Upgrade to 2.21-2.
# pacman -Syu "grep>=2.21-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
The bmexec_trans function in kwset.c allows local users to cause a
denial of service (out-of-bounds heap read and crash) via crafted input
when using the -F option.
grep's read buffer is often filled to its full size, except when reading
the final buffer of a file. In that case, the number of bytes read may
be far less than the size of the buffer. However, for certain unusual
pattern/text combinations, grep -F would mistakenly examine bytes in
that uninitialized region of memory when searching for a match. With
carefully chosen inputs, one can cause grep -F to read beyond the end of
that buffer altogether. This problem arose via commit v2.18-90-g73893ff
with the introduction of a more efficient heuristic using what is now
the memchr_kwset function. The use of that function in bmexec_trans
could leave TP much larger than EP, and the subsequent call to
bm_delta2_search would mistakenly access beyond end of the main input
read buffer.
Impact
======
A local attacker is able to use specially crafted input when using the
-F option to cause a heap buffer out-of-bounds read leading to denial of
service.
References
==========
http://seclists.org/oss-sec/2015/q1/179
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1345
https://bugs.archlinux.org/task/44017
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150305/3d6cc7c6/attachment.asc>
More information about the arch-security
mailing list