Date: Monday, March 2, 2015 @ 22:56:31 Author: seblu Revision: 232431
archrelease: copy trunk to extra-i686, extra-x86_64 Added: grep/repos/extra-i686/ grep/repos/extra-i686/CVE-2015-1345.patch (from rev 232430, grep/trunk/CVE-2015-1345.patch) grep/repos/extra-i686/PKGBUILD (from rev 232430, grep/trunk/PKGBUILD) grep/repos/extra-i686/grep.install (from rev 232430, grep/trunk/grep.install) grep/repos/extra-x86_64/ grep/repos/extra-x86_64/CVE-2015-1345.patch (from rev 232430, grep/trunk/CVE-2015-1345.patch) grep/repos/extra-x86_64/PKGBUILD (from rev 232430, grep/trunk/PKGBUILD) grep/repos/extra-x86_64/grep.install (from rev 232430, grep/trunk/grep.install) ----------------------------------+ extra-i686/CVE-2015-1345.patch | 58 +++++++++++++++++++++++++++++++++++++ extra-i686/PKGBUILD | 44 ++++++++++++++++++++++++++++ extra-i686/grep.install | 18 +++++++++++ extra-x86_64/CVE-2015-1345.patch | 58 +++++++++++++++++++++++++++++++++++++ extra-x86_64/PKGBUILD | 44 ++++++++++++++++++++++++++++ extra-x86_64/grep.install | 18 +++++++++++ 6 files changed, 240 insertions(+) Copied: grep/repos/extra-i686/CVE-2015-1345.patch (from rev 232430, grep/trunk/CVE-2015-1345.patch) =================================================================== --- extra-i686/CVE-2015-1345.patch (rev 0) +++ extra-i686/CVE-2015-1345.patch 2015-03-02 21:56:31 UTC (rev 232431) @@ -0,0 +1,58 @@ +From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001 +From: Yuliy Pisetsky <ypiset...@fb.com> +Date: Thu, 01 Jan 2015 23:36:55 +0000 +Subject: grep -F: fix a heap buffer (read) overrun + +grep's read buffer is often filled to its full size, except when +reading the final buffer of a file. In that case, the number of +bytes read may be far less than the size of the buffer. However, for +certain unusual pattern/text combinations, grep -F would mistakenly +examine bytes in that uninitialized region of memory when searching +for a match. With carefully chosen inputs, one can cause grep -F to +read beyond the end of that buffer altogether. This problem arose via +commit v2.18-90-g73893ff with the introduction of a more efficient +heuristic using what is now the memchr_kwset function. The use of +that function in bmexec_trans could leave TP much larger than EP, +and the subsequent call to bm_delta2_search would mistakenly access +beyond end of the main input read buffer. + +* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP, +do not call bm_delta2_search. +* tests/kwset-abuse: New file. +* tests/Makefile.am (TESTS): Add it. +* THANKS.in: Update. +* NEWS (Bug fixes): Mention it. + +Prior to this patch, this command would trigger a UMR: + + printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0) + + Use of uninitialised value of size 8 + at 0x4142BE: bmexec_trans (kwset.c:657) + by 0x4143CA: bmexec (kwset.c:678) + by 0x414973: kwsexec (kwset.c:848) + by 0x414DC4: Fexecute (kwsearch.c:128) + by 0x404E2E: grepbuf (grep.c:1238) + by 0x4054BF: grep (grep.c:1417) + by 0x405CEB: grepdesc (grep.c:1645) + by 0x405EC1: grep_command_line_arg (grep.c:1692) + by 0x4077D4: main (grep.c:2570) + +See the accompanying test for how to trigger the heap buffer overrun. + +Thanks to Nima Aghdaii for testing and finding numerous +ways to break early iterations of this patch. +--- +diff --git a/src/kwset.c b/src/kwset.c +index 4003c8d..376f7c3 100644 +--- a/src/kwset.c ++++ b/src/kwset.c +@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size) + if (! tp) + return -1; + tp++; ++ if (ep <= tp) ++ break; + } + } + } Copied: grep/repos/extra-i686/PKGBUILD (from rev 232430, grep/trunk/PKGBUILD) =================================================================== --- extra-i686/PKGBUILD (rev 0) +++ extra-i686/PKGBUILD 2015-03-02 21:56:31 UTC (rev 232431) @@ -0,0 +1,44 @@ +# $Id$ +# Maintainer: Sébastien Luttringer <se...@archlinux.org> +# Contributor: Allan McRae <al...@archlinux.org> +# Contributor: judd <jvi...@zeroflux.org> + +pkgname=grep +pkgver=2.21 +pkgrel=2 +pkgdesc='A string search utility' +arch=('i686' 'x86_64') +license=('GPL3') +url='http://www.gnu.org/software/grep/grep.html' +groups=('base' 'base-devel') +depends=('glibc' 'pcre') +makedepends=('texinfo') +install=$pkgname.install +validpgpkeys=('155D3FC500C834486D1EEA677FD9FCCB000BEEEE') # Jim Meyering +source=("ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig} + 'CVE-2015-1345.patch') +md5sums=('43c48064d6409862b8a850db83c8038a' + 'SKIP' + 'f9c8e95efcc1bd52d4af42cb4bff03aa') + + prepare() { + cd $pkgname-$pkgver + # fix CVE-2015-1345 + patch -Np1 < "${srcdir}/CVE-2015-1345.patch" + } + +build() { + cd $pkgname-$pkgver + ./configure --prefix=/usr --without-included-regex + make +} + +check() { + cd $pkgname-$pkgver + make check +} + +package() { + cd $pkgname-$pkgver + make DESTDIR=$pkgdir install +} Copied: grep/repos/extra-i686/grep.install (from rev 232430, grep/trunk/grep.install) =================================================================== --- extra-i686/grep.install (rev 0) +++ extra-i686/grep.install 2015-03-02 21:56:31 UTC (rev 232431) @@ -0,0 +1,18 @@ +infodir=usr/share/info +file=grep.info + +post_install() { + [[ -x usr/bin/install-info ]] || return 0 + install-info "$infodir/$file.gz" "$infodir/dir" 2> /dev/null +} + +post_upgrade() { + post_install "$1" +} + +pre_remove() { + [[ -x usr/bin/install-info ]] || return 0 + install-info --delete "$infodir/$file.gz" "$infodir/dir" 2> /dev/null +} + +# vim:set ts=2 sw=2 ft=sh et: Copied: grep/repos/extra-x86_64/CVE-2015-1345.patch (from rev 232430, grep/trunk/CVE-2015-1345.patch) =================================================================== --- extra-x86_64/CVE-2015-1345.patch (rev 0) +++ extra-x86_64/CVE-2015-1345.patch 2015-03-02 21:56:31 UTC (rev 232431) @@ -0,0 +1,58 @@ +From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001 +From: Yuliy Pisetsky <ypiset...@fb.com> +Date: Thu, 01 Jan 2015 23:36:55 +0000 +Subject: grep -F: fix a heap buffer (read) overrun + +grep's read buffer is often filled to its full size, except when +reading the final buffer of a file. In that case, the number of +bytes read may be far less than the size of the buffer. However, for +certain unusual pattern/text combinations, grep -F would mistakenly +examine bytes in that uninitialized region of memory when searching +for a match. With carefully chosen inputs, one can cause grep -F to +read beyond the end of that buffer altogether. This problem arose via +commit v2.18-90-g73893ff with the introduction of a more efficient +heuristic using what is now the memchr_kwset function. The use of +that function in bmexec_trans could leave TP much larger than EP, +and the subsequent call to bm_delta2_search would mistakenly access +beyond end of the main input read buffer. + +* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP, +do not call bm_delta2_search. +* tests/kwset-abuse: New file. +* tests/Makefile.am (TESTS): Add it. +* THANKS.in: Update. +* NEWS (Bug fixes): Mention it. + +Prior to this patch, this command would trigger a UMR: + + printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0) + + Use of uninitialised value of size 8 + at 0x4142BE: bmexec_trans (kwset.c:657) + by 0x4143CA: bmexec (kwset.c:678) + by 0x414973: kwsexec (kwset.c:848) + by 0x414DC4: Fexecute (kwsearch.c:128) + by 0x404E2E: grepbuf (grep.c:1238) + by 0x4054BF: grep (grep.c:1417) + by 0x405CEB: grepdesc (grep.c:1645) + by 0x405EC1: grep_command_line_arg (grep.c:1692) + by 0x4077D4: main (grep.c:2570) + +See the accompanying test for how to trigger the heap buffer overrun. + +Thanks to Nima Aghdaii for testing and finding numerous +ways to break early iterations of this patch. +--- +diff --git a/src/kwset.c b/src/kwset.c +index 4003c8d..376f7c3 100644 +--- a/src/kwset.c ++++ b/src/kwset.c +@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size) + if (! tp) + return -1; + tp++; ++ if (ep <= tp) ++ break; + } + } + } Copied: grep/repos/extra-x86_64/PKGBUILD (from rev 232430, grep/trunk/PKGBUILD) =================================================================== --- extra-x86_64/PKGBUILD (rev 0) +++ extra-x86_64/PKGBUILD 2015-03-02 21:56:31 UTC (rev 232431) @@ -0,0 +1,44 @@ +# $Id$ +# Maintainer: Sébastien Luttringer <se...@archlinux.org> +# Contributor: Allan McRae <al...@archlinux.org> +# Contributor: judd <jvi...@zeroflux.org> + +pkgname=grep +pkgver=2.21 +pkgrel=2 +pkgdesc='A string search utility' +arch=('i686' 'x86_64') +license=('GPL3') +url='http://www.gnu.org/software/grep/grep.html' +groups=('base' 'base-devel') +depends=('glibc' 'pcre') +makedepends=('texinfo') +install=$pkgname.install +validpgpkeys=('155D3FC500C834486D1EEA677FD9FCCB000BEEEE') # Jim Meyering +source=("ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig} + 'CVE-2015-1345.patch') +md5sums=('43c48064d6409862b8a850db83c8038a' + 'SKIP' + 'f9c8e95efcc1bd52d4af42cb4bff03aa') + + prepare() { + cd $pkgname-$pkgver + # fix CVE-2015-1345 + patch -Np1 < "${srcdir}/CVE-2015-1345.patch" + } + +build() { + cd $pkgname-$pkgver + ./configure --prefix=/usr --without-included-regex + make +} + +check() { + cd $pkgname-$pkgver + make check +} + +package() { + cd $pkgname-$pkgver + make DESTDIR=$pkgdir install +} Copied: grep/repos/extra-x86_64/grep.install (from rev 232430, grep/trunk/grep.install) =================================================================== --- extra-x86_64/grep.install (rev 0) +++ extra-x86_64/grep.install 2015-03-02 21:56:31 UTC (rev 232431) @@ -0,0 +1,18 @@ +infodir=usr/share/info +file=grep.info + +post_install() { + [[ -x usr/bin/install-info ]] || return 0 + install-info "$infodir/$file.gz" "$infodir/dir" 2> /dev/null +} + +post_upgrade() { + post_install "$1" +} + +pre_remove() { + [[ -x usr/bin/install-info ]] || return 0 + install-info --delete "$infodir/$file.gz" "$infodir/dir" 2> /dev/null +} + +# vim:set ts=2 sw=2 ft=sh et: