Arch Linux Security Advisory ASA-201503-4
========================================
Severity: Low
Date    : 2015-03-05
CVE-ID  : CVE-2015-1345
Package : grep
Type    : denial of service
Remote  : No
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package grep before version 2.21-2 is vulnerable to denial of
service via heap buffer out-of-bounds read.

Resolution
=========
Upgrade to 2.21-2.

# pacman -Syu "grep>=2.21-2"

The problem has been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
The bmexec_trans function in kwset.c allows local users to cause a
denial of service (out-of-bounds heap read and crash) via crafted input
when using the -F option.

grep's read buffer is often filled to its full size, except when reading
the final buffer of a file. In that case, the number of bytes read may
be far less than the size of the buffer. However, for certain unusual
pattern/text combinations, grep -F would mistakenly examine bytes in
that uninitialized region of memory when searching for a match. With
carefully chosen inputs, one can cause grep -F to read beyond the end of
that buffer altogether. This problem arose via commit v2.18-90-g73893ff
with the introduction of a more efficient heuristic using what is now
the memchr_kwset function. The use of that function in bmexec_trans
could leave TP much larger than EP, and the subsequent call to
bm_delta2_search would mistakenly access beyond end of the main input
read buffer.

Impact
=====
A local attacker is able to use specially crafted input when using the
-F option to cause a heap buffer out-of-bounds read leading to denial of
service.

References
=========
https://seclists.org/oss-sec/2015/q1/179
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1345
https://bugs.archlinux.org/task/44017