diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2015-04-18 11:00:58 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2015-04-18 11:22:20 +0200 |
commit | bf414c9d4f892fd4e392a5f42016b57e84402a8b (patch) | |
tree | 08c000d609ed8e608ca542fa78360e4217f3fc36 /pkgs/tools/text/gnugrep | |
parent | 29901451700a7382f3f9d5a0a23cd55b187e5585 (diff) | |
parent | 9de9669496a05f64ea436c01f9b66c057cd74f90 (diff) |
Merge 'staging' into closure-size
- there were many easy merge conflicts
- cc-wrapper needed nontrivial changes
Many other problems might've been created by interaction of the branches,
but stdenv and a few other packages build fine now.
Diffstat (limited to 'pkgs/tools/text/gnugrep')
-rw-r--r-- | pkgs/tools/text/gnugrep/cve-2015-1345.patch | 60 | ||||
-rw-r--r-- | pkgs/tools/text/gnugrep/default.nix | 29 | ||||
-rw-r--r-- | pkgs/tools/text/gnugrep/test-localeconv.patch | 18 |
3 files changed, 79 insertions, 28 deletions
diff --git a/pkgs/tools/text/gnugrep/cve-2015-1345.patch b/pkgs/tools/text/gnugrep/cve-2015-1345.patch new file mode 100644 index 000000000000..7156f475e7e8 --- /dev/null +++ b/pkgs/tools/text/gnugrep/cve-2015-1345.patch @@ -0,0 +1,60 @@ +From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001 +From: Yuliy Pisetsky <ypisetsky@fb.com> +Date: Thu, 01 Jan 2015 23:36:55 +0000 +Subject: grep -F: fix a heap buffer (read) overrun + +grep's read buffer is often filled to its full size, except when +reading the final buffer of a file. In that case, the number of +bytes read may be far less than the size of the buffer. However, for +certain unusual pattern/text combinations, grep -F would mistakenly +examine bytes in that uninitialized region of memory when searching +for a match. With carefully chosen inputs, one can cause grep -F to +read beyond the end of that buffer altogether. This problem arose via +commit v2.18-90-g73893ff with the introduction of a more efficient +heuristic using what is now the memchr_kwset function. The use of +that function in bmexec_trans could leave TP much larger than EP, +and the subsequent call to bm_delta2_search would mistakenly access +beyond end of the main input read buffer. + +* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP, +do not call bm_delta2_search. +* tests/kwset-abuse: New file. +* tests/Makefile.am (TESTS): Add it. +* THANKS.in: Update. +* NEWS (Bug fixes): Mention it. + +Prior to this patch, this command would trigger a UMR: + + printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0) + + Use of uninitialised value of size 8 + at 0x4142BE: bmexec_trans (kwset.c:657) + by 0x4143CA: bmexec (kwset.c:678) + by 0x414973: kwsexec (kwset.c:848) + by 0x414DC4: Fexecute (kwsearch.c:128) + by 0x404E2E: grepbuf (grep.c:1238) + by 0x4054BF: grep (grep.c:1417) + by 0x405CEB: grepdesc (grep.c:1645) + by 0x405EC1: grep_command_line_arg (grep.c:1692) + by 0x4077D4: main (grep.c:2570) + +See the accompanying test for how to trigger the heap buffer overrun. + +Thanks to Nima Aghdaii for testing and finding numerous +ways to break early iterations of this patch. + +Nix: @vcunat restricted this to the runtime code only to avoid needing autoreconfiguration. +--- +diff --git a/src/kwset.c b/src/kwset.c +index 4003c8d..376f7c3 100644 +--- a/src/kwset.c ++++ b/src/kwset.c +@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size) + if (! tp) + return -1; + tp++; ++ if (ep <= tp) ++ break; + } + } + } diff --git a/pkgs/tools/text/gnugrep/default.nix b/pkgs/tools/text/gnugrep/default.nix index 2c5c54ddec78..e032c58acfd9 100644 --- a/pkgs/tools/text/gnugrep/default.nix +++ b/pkgs/tools/text/gnugrep/default.nix @@ -1,23 +1,20 @@ -{ stdenv, fetchurl, xz, pcre, libiconv ? null }: +{ stdenv, fetchurl, xz, pcre, libiconv }: -let version = "2.14"; in +let version = "2.21"; in stdenv.mkDerivation { name = "gnugrep-${version}"; src = fetchurl { url = "mirror://gnu/grep/grep-${version}.tar.xz"; - sha256 = "1qbjb1l7f9blckc5pqy8jlf6482hpx4awn2acmhyf5mv9wfq03p7"; + sha256 = "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j"; }; - #outputs = [ "out" "doc" ]; ToDo - - buildInputs = [ pcre xz.bin ] - ++ stdenv.lib.optional (libiconv != null) libiconv; + patches = [ ./cve-2015-1345.patch ]; - patches = [ ./test-localeconv.patch ]; + #outputs = [ "out" "doc" ]; ToDo - NIX_LDFLAGS = stdenv.lib.optionalString (libiconv != null) "-L${libiconv}/lib -liconv"; + buildInputs = [ pcre xz.bin libiconv ]; doCheck = !stdenv.isDarwin; @@ -27,6 +24,18 @@ stdenv.mkDerivation { export MKDIR_P="mkdir -p" ''; + # Fix reference to sh in bootstrap-tools, and invoke grep via + # absolute path rather than looking at argv[0]. + postInstall = + '' + rm $out/bin/egrep $out/bin/fgrep + echo "#! /bin/sh" > $out/bin/egrep + echo "exec $out/bin/grep -E \"\$@\"" >> $out/bin/egrep + echo "#! /bin/sh" > $out/bin/fgrep + echo "exec $out/bin/grep -F \"\$@\"" >> $out/bin/fgrep + chmod +x $out/bin/egrep $out/bin/fgrep + ''; + meta = { homepage = http://www.gnu.org/software/grep/; description = "GNU implementation of the Unix grep command"; @@ -39,7 +48,7 @@ stdenv.mkDerivation { license = stdenv.lib.licenses.gpl3Plus; - maintainers = [ ]; + maintainers = [ stdenv.lib.maintainers.eelco ]; platforms = stdenv.lib.platforms.all; }; diff --git a/pkgs/tools/text/gnugrep/test-localeconv.patch b/pkgs/tools/text/gnugrep/test-localeconv.patch deleted file mode 100644 index f5efaf222217..000000000000 --- a/pkgs/tools/text/gnugrep/test-localeconv.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- grep-2.14/gnulib-tests/test-localeconv.c.orig 2013-02-15 18:41:50.213433059 +0000 -+++ grep-2.14/gnulib-tests/test-localeconv.c 2013-02-15 18:50:33.964751303 +0000 -@@ -37,13 +37,13 @@ - - ASSERT (STREQ (l->decimal_point, ".")); - ASSERT (STREQ (l->thousands_sep, "")); --#if !defined __FreeBSD__ -+#if !(defined __FreeBSD__ || defined __sun) - ASSERT (STREQ (l->grouping, "")); - #endif - - ASSERT (STREQ (l->mon_decimal_point, "")); - ASSERT (STREQ (l->mon_thousands_sep, "")); --#if !defined __FreeBSD__ -+#if !(defined __FreeBSD__ || defined __sun) - ASSERT (STREQ (l->mon_grouping, "")); - #endif - ASSERT (STREQ (l->positive_sign, "")); |