[v3.0] grep: heap buffer overrun (CVE-2015-1345)
Invoking grep with a carefully crafted combination of input and regexp can cause a segfault and/or reading from uninitialized memory.
Here’s how it evolved: http://bugs.gnu.org/19563
Here’s the upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2
The comment to the fix mentions:
grep’s read buffer is often filled to its full size, except when reading
the final buffer of a file. In that case, the number of bytes read may
be far less than the size of the buffer. However, for certain unusual
pattern/text combinations, grep -F would mistakenly examine bytes in
that uninitialized region of memory when searching for a match. With
carefully chosen inputs, one can cause grep -F to
read beyond the end of that buffer altogether. This problem arose via
commit v2.18-90-g73893ff with the introduction of a more efficient
heuristic using what is now the memchr_kwset function. The use of
that function in bmexec_trans could leave TP much larger than EP, and
the subsequent call to bm_delta2_search would mistakenly access eyond
end of the main input read buffer.
So it seems that versions before v2.18 are not vulnerable. This was kept in mind desiding of what Alpine Linux branches are vulnerable.
References:
http://seclists.org/oss-sec/2015/q1/221
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=19563
CONFIRM:
http://git.savannah.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2
(from redmine: issue id 3865, created on 2015-02-02, closed on 2015-02-04)
- Relations:
- parent #3864 (closed)
- Changesets:
- Revision 7dba8d89 by Natanael Copa on 2015-02-02T12:05:51Z:
main/grep: security fix for CVE-2015-1345
ref #3864
fixes #3865
(cherry picked from commit 35e60941855d77260fac5b98ec03ef6c6f6e639a)
Conflicts:
main/grep/APKBUILD