From ${URL} : It was reported [1] that invoking grep with a carefully crafted combination of input and regexp can cause a segfault and/or reading from uninitialized memory. Upstream bugreport: http://bugs.gnu.org/19563 Upstream fix: http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2 [1]: http://seclists.org/oss-sec/2015/q1/179 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*grep-2.21-r1 (20 Jan 2015) + + 20 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> +grep-2.21-r1.ebuild: + Security bump (bug #537046). Upstream fix added without test suite because it + causes error in another test. + Arches please test and mark stable =sys-apps/grep-2.21-r1 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
arm stable
ppc stable
CVE-2015-1345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1345): The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option.
sparc stable
ia64 stable
ppc64 stable
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201502-14 at http://security.gentoo.org/glsa/glsa-201502-14.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
Re-Opening for cleanup which was not done.
+ 16 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -grep-2.16.ebuild, + -grep-2.20.ebuild, -grep-2.20-r1.ebuild, -grep-2.21.ebuild: + Removed vulnerable versions. +