FS#44017 - [grep] CVE-2015-1345: heap buffer out-of-bounds read / denial of service

Attached to Project: Arch Linux
Opened by Levente Polyak (anthraxx) - Monday, 02 March 2015, 14:51 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 02 March 2015, 21:56 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

It has been reported [0] that grep <= 2.21 is suffering from heap buffer out-of-bounds read which results in a crash (denial of service).
This issues is tracked as CVE-2015-1345 [1] and a upstream patch [2] is available.

I have attached a fixed PKGBUILD for convenience.

[0] http://seclists.org/oss-sec/2015/q1/179
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1345
[2] http://git.savannah.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Monday, 02 March 2015, 21:56 GMT
Reason for closing:  Fixed
Additional comments about closing:  grep-2.21-2
Comment by Sébastien Luttringer (seblu) - Monday, 02 March 2015, 21:55 GMT
I didn't use the provided patch because it doesn't build in a clean chroot. automake was missing or a lighter patch without touching makefiles do the job.

Loading...