Hello community, here is the log from the commit of package grep for openSUSE:Factory checked in at 2015-02-08 11:41:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grep (Old) and /work/SRC/openSUSE:Factory/.grep.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grep" Changes: -------- --- /work/SRC/openSUSE:Factory/grep/grep.changes 2015-01-20 21:54:07.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.grep.new/grep.changes 2015-02-08 11:41:15.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Jan 26 10:46:13 UTC 2015 - sch...@suse.de + +- grep-F-heap-overrun.patch: fix heap overrun with grep -F (CVE-2015-1345, + bsc#914695) + +------------------------------------------------------------------- New: ---- grep-F-heap-overrun.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grep.spec ++++++ --- /var/tmp/diff_new_pack.Ibd4zp/_old 2015-02-08 11:41:17.000000000 +0100 +++ /var/tmp/diff_new_pack.Ibd4zp/_new 2015-02-08 11:41:17.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package grep # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,6 +26,7 @@ Source0: http://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz Source2: http://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig Source3: http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=grep&download=1#/%{name}.keyring +Patch0: grep-F-heap-overrun.patch BuildRequires: makeinfo BuildRequires: pcre-devel BuildRequires: xz @@ -43,6 +44,8 @@ %prep %setup -q +%patch0 -p1 +chmod +x tests/kwset-abuse %if 0%{?suse_version} < 1120 echo "ac_cv_search_pcre_compile=\${ac_cv_search_pcre_compile=%{_libdir}/libpcre.a}" >config.cache %endif ++++++ grep-F-heap-overrun.patch ++++++ >From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001 From: Yuliy Pisetsky <ypiset...@fb.com> Date: Thu, 1 Jan 2015 15:36:55 -0800 Subject: [PATCH] grep -F: fix a heap buffer (read) overrun grep's read buffer is often filled to its full size, except when reading the final buffer of a file. In that case, the number of bytes read may be far less than the size of the buffer. However, for certain unusual pattern/text combinations, grep -F would mistakenly examine bytes in that uninitialized region of memory when searching for a match. With carefully chosen inputs, one can cause grep -F to read beyond the end of that buffer altogether. This problem arose via commit v2.18-90-g73893ff with the introduction of a more efficient heuristic using what is now the memchr_kwset function. The use of that function in bmexec_trans could leave TP much larger than EP, and the subsequent call to bm_delta2_search would mistakenly access beyond end of the main input read buffer. * src/kwset.c (bmexec_trans): When TP reaches or exceeds EP, do not call bm_delta2_search. * tests/kwset-abuse: New file. * tests/Makefile.am (TESTS): Add it. * THANKS.in: Update. * NEWS (Bug fixes): Mention it. Prior to this patch, this command would trigger a UMR: printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0) Use of uninitialised value of size 8 at 0x4142BE: bmexec_trans (kwset.c:657) by 0x4143CA: bmexec (kwset.c:678) by 0x414973: kwsexec (kwset.c:848) by 0x414DC4: Fexecute (kwsearch.c:128) by 0x404E2E: grepbuf (grep.c:1238) by 0x4054BF: grep (grep.c:1417) by 0x405CEB: grepdesc (grep.c:1645) by 0x405EC1: grep_command_line_arg (grep.c:1692) by 0x4077D4: main (grep.c:2570) See the accompanying test for how to trigger the heap buffer overrun. Thanks to Nima Aghdaii for testing and finding numerous ways to break early iterations of this patch. --- NEWS | 5 +++++ THANKS.in | 1 + src/kwset.c | 2 ++ tests/Makefile.am | 1 + tests/kwset-abuse | 32 ++++++++++++++++++++++++++++++++ 5 files changed, 41 insertions(+) create mode 100755 tests/kwset-abuse Index: grep-2.21/src/kwset.c =================================================================== --- grep-2.21.orig/src/kwset.c +++ grep-2.21/src/kwset.c @@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const if (! tp) return -1; tp++; + if (ep <= tp) + break; } } } Index: grep-2.21/tests/Makefile.am =================================================================== --- grep-2.21.orig/tests/Makefile.am +++ grep-2.21/tests/Makefile.am @@ -72,6 +72,7 @@ TESTS = \ inconsistent-range \ invalid-multibyte-infloop \ khadafy \ + kwset-abuse \ long-line-vs-2GiB-read \ match-lines \ max-count-overread \ Index: grep-2.21/tests/Makefile.in =================================================================== --- grep-2.21.orig/tests/Makefile.in +++ grep-2.21/tests/Makefile.in @@ -1376,6 +1376,7 @@ TESTS = \ inconsistent-range \ invalid-multibyte-infloop \ khadafy \ + kwset-abuse \ long-line-vs-2GiB-read \ match-lines \ max-count-overread \ @@ -2030,6 +2031,13 @@ khadafy.log: khadafy $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +kwset-abuse.log: kwset-abuse + @p='kwset-abuse'; \ + b='kwset-abuse'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) long-line-vs-2GiB-read.log: long-line-vs-2GiB-read @p='long-line-vs-2GiB-read'; \ Index: grep-2.21/tests/kwset-abuse =================================================================== --- /dev/null +++ grep-2.21/tests/kwset-abuse @@ -0,0 +1,32 @@ +#! /bin/sh +# Evoke a segfault in a hard-to-reach code path of kwset.c. +# This bug affected grep versions 2.19 through 2.21. +# +# Copyright (C) 2015 Free Software Foundation, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +. "${srcdir=.}/init.sh"; path_prepend_ ../src + +fail=0 + +# This test case chooses a haystack of size 260,000, since prodding +# with gdb showed a reallocation slightly larger than that in fillbuf. +# To reach the buggy code, the needle must have length < 1/11 that of +# the haystack, and 10,000 is a nice round number that fits the bill. +printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0) + +test $? = 1 || fail=1 + +Exit $fail -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org