Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 537046 (CVE-2015-1345)

Summary: <sys-apps/grep-2.21-r1: heap buffer overrun (CVE-2015-1345)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1183651
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-01-19 13:22:33 UTC
From ${URL} :

It was reported [1] that invoking grep with a carefully crafted combination of input and regexp can 
cause a segfault and/or reading from uninitialized memory.

Upstream bugreport: http://bugs.gnu.org/19563
Upstream fix: 
http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2

[1]: http://seclists.org/oss-sec/2015/q1/179


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-20 13:15:23 UTC
+*grep-2.21-r1 (20 Jan 2015)
+
+  20 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> +grep-2.21-r1.ebuild:
+  Security bump (bug #537046). Upstream fix added without test suite because it
+  causes error in another test.
+

Arches please test and mark stable =sys-apps/grep-2.21-r1 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-20 18:18:08 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2015-01-21 10:19:56 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-21 10:20:39 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-01-25 11:22:24 UTC
alpha stable
Comment 6 Markus Meier gentoo-dev 2015-01-25 21:21:03 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-31 10:32:24 UTC
ppc stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-02-14 12:35:05 UTC
CVE-2015-1345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1345):
  The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local
  users to cause a denial of service (out-of-bounds heap read and crash) via
  crafted input when using the -F option.
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-16 10:22:43 UTC
sparc stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-02-16 18:18:32 UTC
ia64 stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-02-16 18:19:02 UTC
ppc64 stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-02-24 06:34:34 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-02-25 11:08:41 UTC
This issue was resolved and addressed in
 GLSA 201502-14 at http://security.gentoo.org/glsa/glsa-201502-14.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-03-16 13:53:26 UTC
Re-Opening for cleanup which was not done.
Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-03-16 21:34:27 UTC
+  16 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -grep-2.16.ebuild,
+  -grep-2.20.ebuild, -grep-2.20-r1.ebuild, -grep-2.21.ebuild:
+  Removed vulnerable versions.
+