[security-announce] grep: Security update

Sona Sarmadi sona.sarmadi at enea.com
Wed Sep 16 16:33:13 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: grep 2.19
Severity: Low
CVE Name: CVE-2015-1345
=========================================================
This security update fixes a heap-based buffer overflow
flaw in grep.
Affected versions are: grep 2.19 through 2.21.

Signed patch and README files
================================
0034-grep2.19-CVE-2015-1345.patch
0034-grep2.19-CVE-2015-1345.patch.sig
0034-grep2.19-CVE-2015-1345.README.asc

Description
===========
The bmexec_trans function in kwset.c in grep 2.19 through
2.21 allows local users to cause a denial of service
(out-of-bounds heap read and crash) via crafted input when
using the -F option.

===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1345
http://www.openwall.com/lists/oss-security/2015/01/22/10
Upstream bugreport: http://bugs.gnu.org/19563
Upstream fix: http://git.sv.gnu.org/cgit/grep.git/commit/?id=
83a95bd8c8561875b948cadd417c653dbe7ef2e2

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0034-grep2.19-CVE-2015-1345.patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0034-grep2.19-CVE-2015-1345.patch.sig
gpg --verify 0034-grep2.19-CVE-2015-1345.patch.sig
patch -p1 < ./0034-grep2.19-CVE-2015-1345.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV+X2pAAoJEHc+9u9ocWoUvN0QAJ+OO2myQDbuP9lupi+ZCuX6
PgAK2m8zeKM+FedADPJBGnkDe6SONG/WSC4uPLUN8DeXG+BTX4Vjg+9FTL/mkjof
KHhxj/R54rnFK296co4ut4XVpo1OPuh826+ID2Oe2Y0z8Y1S1OKVtxKOHVTXPN2Y
K0N+RvW8yplbck+Od/96CGPNgJEYupPFHACQsumAdXt0fjI1oDfcGemtELqfJZFh
+sSTN+sLs7OcFoL5j//VxICjTIM+dUOjbfNeIRpSqCGRIxGccv9d5C8p0N5wtVT8
IykTeYM5td6Cvhg8cOeeQPIRSSEK1/QC6kGz7oRpMzqVccZ3FC5ZlIE4WW2JfMmH
q2P+B7yjWXwjlkMOUNa/HCsntteKDWguW5noqwgAWIwQTsbss3VMUQ5LCSbE/9Ds
36Xu2RqFD5LQNi1ph6RjE9447TcRPl/7UkK3QP3r6ob6x54EWFe30kQ6dNlc9C29
fp1y90PbqcS8cgKAxWkKzHLvFKO/ufN2qjLU0bN+NtMfnqo7HUwOO8WNCslN+U/G
begx5bWlRo+EGipFBvpVp44Sce2VBARi1qwSKbewcn5LIpyQjW9tnEJXf08kVSOB
VadEhvbWB2a/eGq9hBBdobDFiW0g1T5g2g9aV/98I/eJOht2HghlYJXVpJpIoJU2
GCGxxkFM1ZxKacTh1yXg
=0E79
-----END PGP SIGNATURE-----



More information about the security-announce mailing list