1183651 – (CVE-2015-1345) CVE-2015-1345 grep: heap buffer overrun

Bug 1183651 (CVE-2015-1345) - CVE-2015-1345 grep: heap buffer overrun

Summary: CVE-2015-1345 grep: heap buffer overrun

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-1345
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1185440 (view as bug list)
Depends On:	1183653 1194315 1194322
Blocks:	1183652 1185168 1193283 1210268
TreeView+	depends on / blocked

Reported:	2015-01-19 11:56 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:47 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations. An attacker able to trick a user into running grep on specially crafted input could use this flaw to crash grep or, potentially, read from uninitialized memory.
Clone Of:
Environment:
Last Closed:	2015-11-20 05:58:41 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1447	0	normal	SHIPPED_LIVE	Low: grep security, bug fix, and enhancement update	2015-07-20 18:43:55 UTC
Red Hat Product Errata	RHSA-2015:2111	0	normal	SHIPPED_LIVE	Low: grep security and bug fix update	2015-11-19 08:18:28 UTC

Description Vasyl Kaigorodov 2015-01-19 11:56:15 UTC

It was reported [1] that invoking grep with a carefully crafted combination of input and regexp can cause a segfault and/or reading from uninitialized memory.

Upstream bugreport: http://bugs.gnu.org/19563
Upstream fix: http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2

[1]: http://seclists.org/oss-sec/2015/q1/179

Comment 1 Vasyl Kaigorodov 2015-01-19 11:57:34 UTC

Created grep tracking bugs for this issue:

Affects: fedora-all [bug 1183653]

Comment 2 Yaakov Selkowitz 2015-01-23 18:50:22 UTC

This has been assigned CVE-2015-1345[1].

[1] http://seclists.org/oss-sec/2015/q1/221

Comment 3 Kurt Seifried 2015-01-23 20:14:47 UTC

*** Bug 1185440 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2015-01-26 02:39:18 UTC

grep-2.21-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vasyl Kaigorodov 2015-07-14 12:15:29 UTC

Statement:

This issue did not affect versions of grep as shipped in Red Hat Enterprise Linux 5.

Comment 7 errata-xmlrpc 2015-07-22 06:18:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1447 https://rhn.redhat.com/errata/RHSA-2015-1447.html

Comment 9 errata-xmlrpc 2015-11-19 06:56:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2111 https://rhn.redhat.com/errata/RHSA-2015-2111.html

Note You need to log in before you can comment on or make changes to this bug.