Ubuntu
grep package

grep <2.11 is vulnerable to "Arbitrary command execution"

Lucid (10.04)
Bug #1091473

Bug #1091473 reported by Joshua Rogers on 2012-12-17

272

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	grep (Ubuntu)	Fix Released	Undecided	Unassigned
	Hardy	Won't Fix	Undecided	Unassigned
	Lucid	Won't Fix	Undecided	Unassigned
	Oneiric	Won't Fix	Undecided	Unassigned
	Precise	Won't Fix	Undecided	Unassigned
	Quantal	Fix Released	Undecided	Unassigned
	Raring	Fix Released	Undecided	Unassigned

Bug Description

grep <2.11 is vulnerable to command execution vulnerability, and it is not possible to patch unless you build the source directly from the git repo.

ubuntu 12.04(And everything else, I would assume) uses version 2.10 of grep. it is not possible to upgrade without downloading the src and building it yourself.

PoC:

perl -e 'print "x"x(2**31)' | grep x > /dev/null

This is the grep news form for this:

* Noteworthy changes in release 2.11 (2012-03-02) [stable]

** Bug fixes

    grep no longer dumps core on lines whose lengths do not fit in 'int'.
    (e.g., lines longer than 2 GiB on a typical 64-bit host).
    Instead, grep either works as expected, or reports an error.
    An error can occur if not enough main memory is available, or if the
    GNU C library's regular expression functions cannot handle such long lines.
    [bug present since "the beginning"]

Solution: Send out a grep update with atleast 2.11 grep from http://git.sv.gnu.org/cgit/grep.git

Full PoC of actually "abusing" this vulnerablility(ls -la within grep) can be provided, if 100% needed.

Tags:

CVE References

2012-5667

Seth Arnold (seth-arnold) on 2012-12-21

information type:

Private Security → Public Security

Karma Dorje (taaroa) on 2012-12-23

Changed in grep (Ubuntu):
status:	New → Confirmed

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2012-12-26:

#1

Thanks Joshua,

Kurt Seifried has expressed an interest in a reproducer, so if you have one available, please do attach it.

Revision history for this message

Joshua Rogers (megamansec) wrote on 2012-12-27:

#2

perl -e 'print "x"x(2**31)' | grep x > /dev/null

just run that
if that's what you mean by a "reproducer"

Revision history for this message

Karma Dorje (taaroa) wrote on 2012-12-27:

#3

Joshua Rogers
> Full PoC of actually "abusing" this vulnerablility(ls -la within grep) can be provided, if 100% needed.
We need it (full PoC).

Karma Dorje (taaroa) on 2012-12-28

tags:

added: precise upgrade-software-version

Revision history for this message

Joshua Rogers (megamansec) wrote on 2012-12-29:

#4

After more analysis, it may not be vulnerable to command execution.
Not sure.

Revision history for this message

Joshua Rogers (megamansec) wrote on 2012-12-29:

#5

Under MORE analysis, it does appear to allow command execution, but I can't get the ls -la working.
I'm a noob at asm.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-02-27:

#6

This was fixed in 2.11-1, so Ubuntu 12.10 and 13.04 are not affected.

Changed in grep (Ubuntu Lucid):
status:	New → Triaged
Changed in grep (Ubuntu Oneiric):
status:	New → Triaged
Changed in grep (Ubuntu Precise):
status:	New → Triaged
Changed in grep (Ubuntu Hardy):
status:	New → Triaged
Changed in grep (Ubuntu Quantal):
status:	New → Fix Released
Changed in grep (Ubuntu Raring):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-11-12:

#7

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against hardy is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in grep (Ubuntu Hardy):
status:	Triaged → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-11-12:

#8

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in grep (Ubuntu Oneiric):
status:	Triaged → Won't Fix

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2015-06-17:

#9

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in grep (Ubuntu Lucid):
status:	Triaged → Won't Fix

Revision history for this message

Steve Langasek (vorlon) wrote on 2021-10-14:

#10

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in grep (Ubuntu Precise):
status:	Triaged → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.