Bug#717821: opu: package grep/2.6.3-3

Thu, 25 Jul 2013 05:30:39 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: opu

A security issue is open in squeeze (bug #701897). It is not an urgent
problem but, as suggested by the security team, it would be good to
solve it.

I have to say that I've been unable to reproduce this bug in different
scenarios, including my amd64 running squeeze. However, this bug has
been confirmed by upstream and several distributions.

The proposed change is a simple solution, limiting the length of the
input line, and it shouldn't have side effects.

Proposed patch attached.

May I go ahead?

Cheers,

Santiago

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff --git a/debian/changelog b/debian/changelog
index b94f84e..09ce4a5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+grep (2.6.3-3+squeeze1) oldstable; urgency=low
+
+  * Fixes CVE-2012-5667. Patch by Jaroslav Škarvada
+    https://bugzilla.redhat.com/show_bug.cgi?id=889935
+    Closes: #701897
+
+ -- Santiago Ruano Rincón <santi...@debian.org>  Thu, 25 Jul 2013 10:13:24 +0200
+
 grep (2.6.3-3) unstable; urgency=high
 
   * Ignore MMAP_OPTION
diff --git a/debian/patches/85-CVE-2012-5667.patch b/debian/patches/85-CVE-2012-5667.patch
new file mode 100644
index 0000000..dfaf9e8
--- /dev/null
+++ b/debian/patches/85-CVE-2012-5667.patch
@@ -0,0 +1,14 @@
+--- grep-2.6.3/src/main.c.orig	2013-01-24 10:01:14.000000000 +0100
++++ grep-2.6.3/src/main.c	2013-01-24 10:06:11.040824147 +0100
+@@ -479,6 +479,11 @@ fillbuf (size_t save, struct stats const
+   int cc = 1;
+   char *readbuf;
+   size_t readsize;
++  const size_t max_save = INT_MAX / 2;
++
++  /* Limit the amount of saved data to INT_MAX to fix CVE-2012-5667 */
++  if (save > max_save)
++    error (2, 0, _("line too long"));
+ 
+   /* Offset from start of buffer to start of old stuff
+      that we want to save.  */
diff --git a/debian/patches/series b/debian/patches/series
index cecdc61..c0389ca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@
 04-446854-grep.1.patch
 05-kwset.c.patch
 06-578709-ignore-MMAP_OPTION.patch
+85-CVE-2012-5667.patch
\ No newline at end of file

Attachment: signature.asc
Description: Digital signature

Reply via email to