NetBSD Security Advisory 2013-004: Vulnerabilities in grep

[NetBSD Security Officer <security-officer%NetBSD.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 NetBSD Security Advisory 2013-004
                 =================================

Topic:          Vulnerabilities in grep

Version:        NetBSD-current:         affected prior to Jan 5th, 2013
                NetBSD 6.0.*:           affected
                NetBSD 6.0:             affected
                NetBSD 5.2.*:           affected
                NetBSD 5.1.*:           affected
                NetBSD 5.0.*:           affected
                pkgsrc:                 textproc/grep prior to 2.13


Severity:       Arbitrary Code Execution

Fixed:          NetBSD-current:         Jan 5th, 2013
                NetBSD-6-0 branch:      Jan 13th, 2013
                NetBSD-6 branch:        Jan 13th, 2013
                NetBSD-5-2 branch:      Jan 13th, 2013
                NetBSD-5-1 branch:      Jan 13th, 2013
                NetBSD-5-0 branch:      Jan 13th, 2013
                NetBSD-5 branch:        Jan 13th, 2013
                pkgsrc textproc/grep:   grep-2.13 corrects this issue

Please note that NetBSD releases prior to 5.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Multiple integer overflows in GNU Grep before 2.11 might allow
context-dependent attackers to execute arbitrary code via vectors
involving a long input line that triggers a heap-based buffer overflow.

This vulnerability has been assigned CVE-2012-5667.


Technical Details
=================

See http://openwall.com/lists/oss-security/2012/12/22/6
The PCRE aspect of the vulnerability does not apply to NetBSD.


Solutions and Workarounds
=========================

Workaround:

Don't run grep against files of dubious provenance with lines of 2 GB,
or longer.

Fix:

Replace grep with a fixed version.

The fastest method to do that is to obtain a base.tgz matching
your system from http://nyftp.netbsd.org/pub/NetBSD-daily/ 
dated 20130114 or later, and to extract ./usr/bin/egrep,
./usr/bin/fgrep and ./usr/bin/grep as well as ./rescue/egrep,
./rescue/fgrep and ./rescue/grep from it.


The following instructions describe how to upgrade your grep
binaries by updating your source tree and rebuilding and
installing a new version of grep.

        The following files contain the fix:

        gnu/dist/grep/lib/getopt.c
        gnu/dist/grep/lib/regex.c
        gnu/dist/grep/src/ansi2knr.c
                HEAD            1.2
                netbsd-6        1.1.1.1.56.1
                netbsd-6-0      1.1.1.1.62.1
                netbsd-5        1.1.1.1.38.1
                netbsd-5-2      1.1.1.1.64.1
                netbsd-5-1      1.1.1.1.46.1
                netbsd-5-0      1.1.1.1.42.1
        gnu/dist/grep/src/dfa.c 
                HEAD            1.3
                netbsd-6        1.2.56.1
                netbsd-6-0      1.2.62.1
                netbsd-5        1.2.38.1
                netbsd-5-2      1.2.64.1
                netbsd-5-1      1.2.46.1
                netbsd-5-0      1.2.42.1
        gnu/dist/grep/src/grep.c
                HEAD            1.14
                netbsd-6        1.13.8.1
                netbsd-6-0      1.13.14.1
                netbsd-5        1.12.4.1
                netbsd-5-2      1.12.2.1
                netbsd-5-1      1.12.12.1
                netbsd-5-0      1.12.8.1
        gnu/dist/grep/src/search.c
                HEAD            1.4
                netbsd-6        1.3.20.1
                netbsd-6-0      1.3.26.1
                netbsd-5        1.3.4.1
                netbsd-5-2      1.3.28.1
                netbsd-5-1      1.3.12.1
                netbsd-5-0      1.3.8.1

        To update from CVS, re-build, and re-install grep:
                # cd src
                # cvs update -d -P gnu/dist/grep
                # cd gnu/usr.bin/grep
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../../../usr.bin/ldd
                # make USETOOLS=no cleandir dependall
                # cd ../../rescue
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========

Joshua Rogers for identifying the problem in GNU grep.
Ignatios Souvatzis and Alan Barrett for collaborating on a GPLv2 fix.


Revision History
================

        2013-02-26      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2013, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2013-004.txt,v 1.1 2013/02/26 19:45:50 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (NetBSD)

iQIcBAEBAgAGBQJRLRIBAAoJEAZJc6xMSnBuo0oQAKwd6+VU7q/XNA+GIh9yyn/a
rXy0VmPx3uUQuMCdrzOmcXzyW9RzW9Gskv1Xgzo1T+HrTc7iQ9LMWtQfZSwPSYVk
DEecyvIyAjeoEc4Ticbz2I0DxC0uRCDmMd2KhKQz/2C7XD6hUcDoVChUimNAeBxj
l84VNPnyUzf3n2osaVA+1VRghsO1ITrF+c4Fxz1b1fX3C6wCOvi834BzEQGBH/LI
o3nzsyC2w+0WiK0be3Nvt4dChlPNM7uiEqjS5833Zp3LauAxgKGhuQpsc34PL2V9
pA1chFw2Iay4Px1keYAczCbrmKHbGCZpO2WcGpiqW2Xe9S/yMiwGKN2MH3cTOVrm
V6bz9UdyzfMz/TAlXwqC00c3AQ66FFXkNlHkdi6V5l3ZkLEKAxsZhtUziJxev3m9
E6/XZOT0BPggiG7+edJN6HgfzOGZZgonssUGXjjxk/R2Cu6HInbQ8jrcUaHdTOYR
W+zRuCLU21klZWUZTqSLPH/csEq1q2dyWLkkP8HdveVlg/VzD4cpb+mAaAWa9iHD
6cEPNswYFqrpVneHUaeFdPe1mKTXfesOwxi6aHvQojZHnEiCdihvjSd28S+303po
5k3DQQiZYjFlzvHhXjXFGw9YgiXS3id/uEnm5aIJ505uZ7W0IzZuyfm0z5o7qqGj
a7cXpgp2M9dYialzRVlE
=3W1g
-----END PGP SIGNATURE-----